From ad48df9793dfadd4c343a8cbd0f6e96a3a24afc8 Mon Sep 17 00:00:00 2001 From: neutron Date: Thu, 2 Aug 2018 14:04:23 -0400 Subject: [PATCH 1/6] creating new templates to make more modular in the future. added ip types added geo types added source and destination nat IPs better command line and process name analyzers --- .../output_templates/10-logs-all-default.json | 57 +++++ .../50-logs-winevent-all.json | 153 ++++++++++++ .../60-powershell-direct-template.json | 12 + .../60-winevent-application-template.json | 12 + .../60-winevent-powershell-template.json | 232 ++++++++++++++++++ .../60-winevent-security-template.json | 19 ++ .../60-winevent-sysmon-template.json | 26 ++ .../60-winevent-system-template.json | 7 + .../60-winevent-wmiactivity-template.json | 7 + .../output_templates/82-logs-not-ip.json | 26 ++ .../output_templates/91-logs-ip-dst-nat.json | 88 +++++++ .../output_templates/91-logs-ip-dst.json | 88 +++++++ .../output_templates/91-logs-ip-src-nat.json | 88 +++++++ .../output_templates/91-logs-ip-src.json | 88 +++++++ .../93-logs-ipv6-dst-nat.json | 88 +++++++ .../output_templates/93-logs-ipv6-dst.json | 88 +++++++ .../93-logs-ipv6-src-nat.json | 88 +++++++ .../output_templates/93-logs-ipv6-src.json | 88 +++++++ .../output_templates/99-logs-any-fields.json | 26 ++ .../powershell-direct-template.json | 29 --- .../winevent-application-template.json | 29 --- .../winevent-security-template.json | 37 --- .../winevent-sysmon-template.json | 50 ---- .../winevent-system-template.json | 28 --- .../winevent-wmiactivity-template.json | 29 --- 25 files changed, 1281 insertions(+), 202 deletions(-) create mode 100644 helk-logstash/output_templates/10-logs-all-default.json create mode 100644 helk-logstash/output_templates/50-logs-winevent-all.json create mode 100644 helk-logstash/output_templates/60-powershell-direct-template.json create mode 100644 helk-logstash/output_templates/60-winevent-application-template.json create mode 100644 helk-logstash/output_templates/60-winevent-powershell-template.json create mode 100644 helk-logstash/output_templates/60-winevent-security-template.json create mode 100644 helk-logstash/output_templates/60-winevent-sysmon-template.json create mode 100644 helk-logstash/output_templates/60-winevent-system-template.json create mode 100644 helk-logstash/output_templates/60-winevent-wmiactivity-template.json create mode 100644 helk-logstash/output_templates/82-logs-not-ip.json create mode 100644 helk-logstash/output_templates/91-logs-ip-dst-nat.json create mode 100644 helk-logstash/output_templates/91-logs-ip-dst.json create mode 100644 helk-logstash/output_templates/91-logs-ip-src-nat.json create mode 100644 helk-logstash/output_templates/91-logs-ip-src.json create mode 100644 helk-logstash/output_templates/93-logs-ipv6-dst-nat.json create mode 100644 helk-logstash/output_templates/93-logs-ipv6-dst.json create mode 100644 helk-logstash/output_templates/93-logs-ipv6-src-nat.json create mode 100644 helk-logstash/output_templates/93-logs-ipv6-src.json create mode 100644 helk-logstash/output_templates/99-logs-any-fields.json delete mode 100644 helk-logstash/output_templates/powershell-direct-template.json delete mode 100644 helk-logstash/output_templates/winevent-application-template.json delete mode 100644 helk-logstash/output_templates/winevent-security-template.json delete mode 100644 helk-logstash/output_templates/winevent-sysmon-template.json delete mode 100644 helk-logstash/output_templates/winevent-system-template.json delete mode 100644 helk-logstash/output_templates/winevent-wmiactivity-template.json diff --git a/helk-logstash/output_templates/10-logs-all-default.json b/helk-logstash/output_templates/10-logs-all-default.json new file mode 100644 index 00000000..bb532509 --- /dev/null +++ b/helk-logstash/output_templates/10-logs-all-default.json @@ -0,0 +1,57 @@ +{ + "order": 10, + "index_patterns": [ "logs-*" ], + "version": 2018080201, + "settings": { + "index": { + "mapping": { + "ignore_malformed": true, + "total_fields.limit": "1000", + "coerce": true + } + }, + "refresh_interval": "30s" + }, + "mappings": { + "_doc": { + "dynamic": "true", + "dynamic_templates": [ + { + "strings": { + "match_mapping_type": "string", + "mapping": { + "type": "text", + "norms": false, + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "type": "keyword" + }, + "log_ingest_timestamp": { + "type": "date" + }, + "z_logstash_type": { + "enabled": false + }, + "z_original_message": { + "enabled": false + }, + "z_logstash_pipeline": { + "enabled": false + } + } + } + } +} diff --git a/helk-logstash/output_templates/50-logs-winevent-all.json b/helk-logstash/output_templates/50-logs-winevent-all.json new file mode 100644 index 00000000..5fd5825d --- /dev/null +++ b/helk-logstash/output_templates/50-logs-winevent-all.json @@ -0,0 +1,153 @@ +{ + "order": 50, + "index_patterns": [ "logs-endpoint-winevent-*" ], + "version": 2018080101, + "settings": { + "analysis": { + "analyzer": { + "cli_n_file_analyzer": { + "type": "custom", + "filter": [ "case_change_only_delim_filter", "three_or_more_tokenizer_limit_filter", "cli_n_file_word_delim_filter", "two_or_more_tokenizer_limit_filter", "lowercase", "unique" ], + "tokenizer": "standard" + } + }, + "filter": { + "cli_n_file_word_delim_filter": { + "type": "word_delimiter", + "generate_word_parts": true, + "split_on_case_change": true, + "split_on_numerics": false, + "stem_english_possessive": false, + "generate_number_parts": true, + "preserve_original": true + }, + "case_change_only_delim_filter": { + "type": "word_delimiter", + "generate_word_parts": true, + "split_on_case_change": true, + "split_on_numerics": false, + "stem_english_possessive": false, + "generate_number_parts": false, + "preserve_original": true + }, + "two_or_more_tokenizer_limit_filter": { + "type": "length", + "min": 2 + }, + "three_or_more_tokenizer_limit_filter": { + "type": "length", + "min": 3 + } + }, + "normalizer": { + "lowercase_normalizer": { + "type": "custom", + "char_filter": [ ], + "filter": [ "lowercase" ] + } + } + }, + "index": { + "mapping": { + "total_fields.limit": "3000" + } + }, + "refresh_interval": "30s" + }, + "mappings": { + "_doc":{ + "properties":{ + "process_id":{"type":"integer"}, + "event_id":{"type":"integer"}, + "file_name": { + "type": "text", + "norms": false, + "analyzer": "cli_n_file_analyzer", + "fields": { + "keyword": { + "ignore_above": 7500, + "type": "keyword" + } + } + }, + "logon_process_name": { + "type": "text", + "norms": false, + "analyzer": "cli_n_file_analyzer", + "fields": { + "keyword": { + "ignore_above": 7500, + "type": "keyword" + } + } + }, + "object_name": { + "type": "text", + "norms": false, + "analyzer": "cli_n_file_analyzer", + "fields": { + "keyword": { + "ignore_above": 7500, + "type": "keyword" + } + } + }, + "process_command_line": { + "type": "text", + "norms": false, + "analyzer": "cli_n_file_analyzer", + "fields": { + "keyword": { + "ignore_above": 7500, + "type": "keyword" + } + } + }, + "process_current_directory": { + "type": "text", + "norms": false, + "analyzer": "cli_n_file_analyzer", + "fields": { + "keyword": { + "ignore_above": 7500, + "type": "keyword" + } + } + }, + "process_parent_path": { + "type": "text", + "norms": false, + "analyzer": "cli_n_file_analyzer", + "fields": { + "keyword": { + "ignore_above": 7500, + "type": "keyword" + } + } + }, + "process_parent_command_line": { + "type": "text", + "norms": false, + "analyzer": "cli_n_file_analyzer", + "fields": { + "keyword": { + "ignore_above": 7500, + "type": "keyword" + } + } + }, + "process_path": { + "type": "text", + "norms": false, + "analyzer": "cli_n_file_analyzer", + "fields": { + "keyword": { + "ignore_above": 7500, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/helk-logstash/output_templates/60-powershell-direct-template.json b/helk-logstash/output_templates/60-powershell-direct-template.json new file mode 100644 index 00000000..50880362 --- /dev/null +++ b/helk-logstash/output_templates/60-powershell-direct-template.json @@ -0,0 +1,12 @@ +{ + "order": 60, + "index_patterns" : "logs-endpoint-powershell-direct-*", + "version": 2018080101, + "mappings":{ + "_doc":{ + "properties":{ + "process_id":{"type":"integer"} + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/60-winevent-application-template.json b/helk-logstash/output_templates/60-winevent-application-template.json new file mode 100644 index 00000000..3e05170f --- /dev/null +++ b/helk-logstash/output_templates/60-winevent-application-template.json @@ -0,0 +1,12 @@ +{ + "order": 60, + "index_patterns": [ "logs-endpoint-winevent-application-*" ], + "version": 2018080101, + "mappings":{ + "_doc":{ + "properties":{ + "spp_restart_scheduled":{"type":"date"} + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/60-winevent-powershell-template.json b/helk-logstash/output_templates/60-winevent-powershell-template.json new file mode 100644 index 00000000..9eff63a5 --- /dev/null +++ b/helk-logstash/output_templates/60-winevent-powershell-template.json @@ -0,0 +1,232 @@ +{ + "order": 60, + "index_patterns": [ "logs-endpoint-winevent-powershell-*" ], + "version": 2018080201, + "mappings":{ + "_doc": { + "properties": { + "powershell": { + "dynamic": "false", + "properties": { + "command": { + "properties": { + "name": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "line": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "path": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "type": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + }, + "connected_user": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "param": { + "properties": { + "name": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "value": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "value_nonalphanumeric": { + "type": "keyword" + } + } + }, + "pipeline_id": { + "type": "integer" + }, + "remaining_payload": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "runspace_id": { + "type": "keyword" + }, + "scriptblock": { + "properties": { + "id": { + "type": "keyword" + }, + "message_number": { + "type": "keyword" + }, + "message_total": { + "type": "keyword" + }, + "text": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + }, + "sequence_number": { + "type": "integer" + }, + "shell_id": { + "type": "keyword" + }, + "script": { + "properties": { + "name": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "path": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + }, + "host": { + "properties": { + "application": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "version": { + "type": "keyword" + }, + "id": { + "type": "keyword" + } + } + }, + "engine_version": { + "type": "keyword" + }, + "newproviderstate": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "providername": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "newengine_state": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "previousengine_state": { + "type": "text", + "norms": false, + "analyzer": "standard", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/60-winevent-security-template.json b/helk-logstash/output_templates/60-winevent-security-template.json new file mode 100644 index 00000000..1659e852 --- /dev/null +++ b/helk-logstash/output_templates/60-winevent-security-template.json @@ -0,0 +1,19 @@ +{ + "order": 60, + "index_patterns": "logs-endpoint-winevent-security-*", + "version": 2018080101, + "mappings":{ + "_doc":{ + "properties":{ + "@date_new_time":{"type":"date"}, + "@date_previous_time":{"type":"date"}, + "target_process_id":{"type":"integer"}, + "process_parent_id":{"type":"integer"}, + "user_session_id":{"type":"integer"}, + "src_port":{"type":"integer"}, + "dst_port":{"type":"integer"}, + "version":{"type":"integer"} + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/60-winevent-sysmon-template.json b/helk-logstash/output_templates/60-winevent-sysmon-template.json new file mode 100644 index 00000000..a4616216 --- /dev/null +++ b/helk-logstash/output_templates/60-winevent-sysmon-template.json @@ -0,0 +1,26 @@ +{ + "order": 60, + "index_patterns": [ "logs-endpoint-winevent-sysmon-*" ], + "version": 2018080101, + "settings": { + "index.refresh_interval": "5s" + }, + "mappings":{ + "_doc":{ + "properties":{ + "@date_creation":{"type":"date"}, + "@date_creation_previous":{"type":"date"}, + "dst_port":{"type":"integer"}, + "src_port":{"type":"integer"}, + "network_initiated":{"type":"boolean"}, + "thread_new_id":{"type":"integer"}, + "module_signed":{"type":"boolean"}, + "process_parent_id":{"type":"integer"}, + "target_process_id":{"type":"integer"}, + "user_session_id":{"type":"integer"}, + "thread_id":{"type":"integer"}, + "version":{"type":"integer"} + } + } + } +} diff --git a/helk-logstash/output_templates/60-winevent-system-template.json b/helk-logstash/output_templates/60-winevent-system-template.json new file mode 100644 index 00000000..3f9ad0d7 --- /dev/null +++ b/helk-logstash/output_templates/60-winevent-system-template.json @@ -0,0 +1,7 @@ +{ + "order": 60, + "index_patterns": [ "logs-endpoint-winevent-system-*" ], + "version": 2018080101, + "mappings":{ + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/60-winevent-wmiactivity-template.json b/helk-logstash/output_templates/60-winevent-wmiactivity-template.json new file mode 100644 index 00000000..66f63559 --- /dev/null +++ b/helk-logstash/output_templates/60-winevent-wmiactivity-template.json @@ -0,0 +1,7 @@ +{ + "order": 60, + "index_patterns": [ "logs-endpoint-winevent-wmiactivity-*" ], + "version": 2018080101, + "mappings":{ + } +} diff --git a/helk-logstash/output_templates/82-logs-not-ip.json b/helk-logstash/output_templates/82-logs-not-ip.json new file mode 100644 index 00000000..792353dc --- /dev/null +++ b/helk-logstash/output_templates/82-logs-not-ip.json @@ -0,0 +1,26 @@ +{ + "order": 82, + "index_patterns": [ "logs-*" ], + "version": 2018080101, + "mappings": { + "_doc": { + "properties": { + "not_ip_dst": { + "type": "keyword" + }, + "not_ip_dst_nat": { + "type": "keyword" + }, + "not_ip_log": { + "type": "keyword" + }, + "not_ip_src": { + "type": "keyword" + }, + "not_ip_src_nat": { + "type": "keyword" + } + } + } + } +} diff --git a/helk-logstash/output_templates/91-logs-ip-dst-nat.json b/helk-logstash/output_templates/91-logs-ip-dst-nat.json new file mode 100644 index 00000000..278f5ed9 --- /dev/null +++ b/helk-logstash/output_templates/91-logs-ip-dst-nat.json @@ -0,0 +1,88 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2018052301, + "mappings": { + "_doc": { + "properties": { + "dst_nat_ip_addr": { + "type": "ip", + "copy_to": "any_ip_addr" + }, + "dst_nat_ip_public": { + "type": "boolean", + "doc_values": false + }, + "dst_nat_ip_type": { + "type": "keyword" + }, + "meta_dst_nat_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "type": "text", + "norms": false, + "copy_to": "any_ip_geo.as_org", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/91-logs-ip-dst.json b/helk-logstash/output_templates/91-logs-ip-dst.json new file mode 100644 index 00000000..8137e615 --- /dev/null +++ b/helk-logstash/output_templates/91-logs-ip-dst.json @@ -0,0 +1,88 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2018052301, + "mappings": { + "_doc": { + "properties": { + "dst_ip_addr": { + "type": "ip", + "copy_to": "any_ip_addr" + }, + "dst_ip_public": { + "type": "boolean", + "doc_values": false + }, + "dst_ip_type": { + "type": "keyword" + }, + "meta_dst_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "type": "text", + "norms": false, + "copy_to": "any_ip_geo.as_org", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/91-logs-ip-src-nat.json b/helk-logstash/output_templates/91-logs-ip-src-nat.json new file mode 100644 index 00000000..1f6ac226 --- /dev/null +++ b/helk-logstash/output_templates/91-logs-ip-src-nat.json @@ -0,0 +1,88 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2018052301, + "mappings": { + "_doc": { + "properties": { + "src_nat_ip_addr": { + "type": "ip", + "copy_to": "any_ip_addr" + }, + "src_nat_ip_public": { + "type": "boolean", + "doc_values": false + }, + "src_nat_ip_type": { + "type": "keyword" + }, + "meta_src_nat_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "type": "text", + "norms": false, + "copy_to": "any_ip_geo.as_org", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/91-logs-ip-src.json b/helk-logstash/output_templates/91-logs-ip-src.json new file mode 100644 index 00000000..a1634b70 --- /dev/null +++ b/helk-logstash/output_templates/91-logs-ip-src.json @@ -0,0 +1,88 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2018052301, + "mappings": { + "_doc": { + "properties": { + "src_ip_addr": { + "type": "ip", + "copy_to": "any_ip_addr" + }, + "src_ip_public": { + "type": "boolean", + "doc_values": false + }, + "src_ip_type": { + "type": "keyword" + }, + "meta_src_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "type": "text", + "norms": false, + "copy_to": "any_ip_geo.as_org", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/93-logs-ipv6-dst-nat.json b/helk-logstash/output_templates/93-logs-ipv6-dst-nat.json new file mode 100644 index 00000000..b71caada --- /dev/null +++ b/helk-logstash/output_templates/93-logs-ipv6-dst-nat.json @@ -0,0 +1,88 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2018080101, + "mappings": { + "_doc": { + "properties": { + "dst_nat_ipv6_addr": { + "type": "ip", + "copy_to": "any_ip_addr" + }, + "dst_nat_ipv6_public": { + "type": "boolean", + "doc_values": false + }, + "dst_nat_ipv6_type": { + "type": "keyword" + }, + "meta_dst_nat_ipv6_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "type": "text", + "norms": false, + "copy_to": "any_ip_geo.as_org", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/93-logs-ipv6-dst.json b/helk-logstash/output_templates/93-logs-ipv6-dst.json new file mode 100644 index 00000000..be703c5c --- /dev/null +++ b/helk-logstash/output_templates/93-logs-ipv6-dst.json @@ -0,0 +1,88 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2018080101, + "mappings": { + "_doc": { + "properties": { + "dst_ipv6_addr": { + "type": "ip", + "copy_to": "any_ip_addr" + }, + "dst_ipv6_public": { + "type": "boolean", + "doc_values": false + }, + "dst_ipv6_type": { + "type": "keyword" + }, + "meta_dst_ipv6_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "type": "text", + "norms": false, + "copy_to": "any_ip_geo.as_org", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/93-logs-ipv6-src-nat.json b/helk-logstash/output_templates/93-logs-ipv6-src-nat.json new file mode 100644 index 00000000..4d4eda0c --- /dev/null +++ b/helk-logstash/output_templates/93-logs-ipv6-src-nat.json @@ -0,0 +1,88 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2018080101, + "mappings": { + "_doc": { + "properties": { + "ipv6_src_nat_addr": { + "type": "ip", + "copy_to": "any_ip_addr" + }, + "ipv6_src_nat_public": { + "type": "boolean", + "doc_values": false + }, + "ipv6_src_nat_type": { + "type": "keyword" + }, + "meta_src_nat_ipv6_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "type": "text", + "norms": false, + "copy_to": "any_ip_geo.as_org", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/93-logs-ipv6-src.json b/helk-logstash/output_templates/93-logs-ipv6-src.json new file mode 100644 index 00000000..930a1f10 --- /dev/null +++ b/helk-logstash/output_templates/93-logs-ipv6-src.json @@ -0,0 +1,88 @@ +{ + "order": 91, + "index_patterns": [ "logs-*" ], + "version": 2018080101, + "mappings": { + "_doc": { + "properties": { + "src_ipv6_addr": { + "type": "ip", + "copy_to": "any_ip_addr" + }, + "src_ipv6_public": { + "type": "boolean", + "doc_values": false + }, + "src_ipv6_type": { + "type": "keyword" + }, + "meta_src_ipv6_geo": { + "properties": { + "asn": { + "type": "integer", + "copy_to": "any_ip_geo.asn" + }, + "as_org": { + "type": "text", + "norms": false, + "copy_to": "any_ip_geo.as_org", + "fields": { + "keyword": { + "type": "keyword", + "eager_global_ordinals": true + } + } + }, + "country_code2": { + "type": "keyword" + }, + "country_code3": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "region_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "city_name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "latitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "longitude": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "dma_code": { + "type": "integer" + }, + "area_code": { + "type": "integer" + }, + "timezone": { + "type": "keyword", + "index": false + }, + "location": { + "type": "geo_point" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/99-logs-any-fields.json b/helk-logstash/output_templates/99-logs-any-fields.json new file mode 100644 index 00000000..5f72a8c4 --- /dev/null +++ b/helk-logstash/output_templates/99-logs-any-fields.json @@ -0,0 +1,26 @@ +{ + "order": 99, + "index_patterns": [ "logs-*" ], + "version": 2018080101, + "mappings": { + "_doc": { + "properties": { + "any_ip_addr": { + "type": "ip" + }, + "any_ip_geo": { + "properties": { + "asn": { + "type": "integer", + "doc_values": false + }, + "as_org": { + "type": "text", + "norms": false + } + } + } + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/output_templates/powershell-direct-template.json b/helk-logstash/output_templates/powershell-direct-template.json deleted file mode 100644 index b73ba6fa..00000000 --- a/helk-logstash/output_templates/powershell-direct-template.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "index_patterns" : "logs-endpoint-powershell-direct-*", - "settings" : { - "index.refresh_interval": "5s" - }, - "mappings":{ - "doc":{ - "dynamic_templates": [{ - "strings":{ - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false, - "fields": { - "raw": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }], - "properties":{ - "@timestamp":{"type":"date"}, - "process_id":{"type":"integer"} - } - } - } -} \ No newline at end of file diff --git a/helk-logstash/output_templates/winevent-application-template.json b/helk-logstash/output_templates/winevent-application-template.json deleted file mode 100644 index 62ab07ba..00000000 --- a/helk-logstash/output_templates/winevent-application-template.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "index_patterns" : "logs-endpoint-winevent-application-*", - "settings" : { - "index.refresh_interval": "5s" - }, - "mappings":{ - "doc":{ - "dynamic_templates": [{ - "strings":{ - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false, - "fields": { - "raw": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }], - "properties":{ - "@timestamp":{"type":"date"}, - "spp_restart_scheduled":{"type":"date"} - } - } - } -} \ No newline at end of file diff --git a/helk-logstash/output_templates/winevent-security-template.json b/helk-logstash/output_templates/winevent-security-template.json deleted file mode 100644 index 82cc3da3..00000000 --- a/helk-logstash/output_templates/winevent-security-template.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "index_patterns" : "logs-endpoint-winevent-security-*", - "settings" : { - "index.refresh_interval": "5s" - }, - "mappings":{ - "doc":{ - "dynamic_templates": [{ - "strings":{ - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false, - "fields": { - "raw": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }], - "properties":{ - "@timestamp":{"type":"date"}, - "@date_new_time":{"type":"date"}, - "@date_previous_time":{"type":"date"}, - "process_id":{"type":"integer"}, - "target_process_id":{"type":"integer"}, - "process_parent_id":{"type":"integer"}, - "user_session_id":{"type":"integer"}, - "src_port":{"type":"integer"}, - "dst_port":{"type":"integer"}, - "version":{"type":"integer"} - } - } - } -} \ No newline at end of file diff --git a/helk-logstash/output_templates/winevent-sysmon-template.json b/helk-logstash/output_templates/winevent-sysmon-template.json deleted file mode 100644 index 567433e3..00000000 --- a/helk-logstash/output_templates/winevent-sysmon-template.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "index_patterns" : "logs-endpoint-winevent-sysmon-*", - "settings" : { - "index.refresh_interval": "5s" - }, - "mappings":{ - "doc":{ - "dynamic_templates": [{ - "strings":{ - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false, - "fields": { - "raw": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }], - "properties":{ - "@timestamp":{"type":"date"}, - "@date_creation":{"type":"date"}, - "@date_creation_previous":{"type":"date"}, - "dst_port":{"type":"integer"}, - "src_port":{"type":"integer"}, - "event_id":{"type":"integer"}, - "geoip":{ - "properties":{ - "dma_code":{"type":"integer"}, - "latitude":{"type":"float"}, - "location":{"type": "geo_point"}, - "longitude":{"type":"float"} - } - }, - "network_initiated":{"type":"boolean"}, - "process_id":{"type":"integer"}, - "thread_new_id":{"type":"integer"}, - "module_signed":{"type":"boolean"}, - "process_parent_id":{"type":"integer"}, - "target_process_id":{"type":"integer"}, - "user_session_id":{"type":"integer"}, - "thread_id":{"type":"integer"}, - "version":{"type":"integer"} - } - } - } -} diff --git a/helk-logstash/output_templates/winevent-system-template.json b/helk-logstash/output_templates/winevent-system-template.json deleted file mode 100644 index 7cd17658..00000000 --- a/helk-logstash/output_templates/winevent-system-template.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "index_patterns" : "logs-endpoint-winevent-system-*", - "settings" : { - "index.refresh_interval": "5s" - }, - "mappings":{ - "doc":{ - "dynamic_templates": [{ - "strings":{ - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false, - "fields": { - "raw": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }], - "properties":{ - "@timestamp":{"type":"date"} - } - } - } -} \ No newline at end of file diff --git a/helk-logstash/output_templates/winevent-wmiactivity-template.json b/helk-logstash/output_templates/winevent-wmiactivity-template.json deleted file mode 100644 index 4c017253..00000000 --- a/helk-logstash/output_templates/winevent-wmiactivity-template.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "index_patterns" : "logs-endpoint-winevent-wmiactivity-*", - "settings" : { - "index.refresh_interval": "5s" - }, - "mappings":{ - "doc":{ - "dynamic_templates": [{ - "strings":{ - "match_mapping_type": "string", - "mapping": { - "type": "text", - "norms": false, - "fields": { - "raw": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }], - "properties":{ - "@timestamp":{"type":"date"}, - "process_id":{"type":"integer"} - } - } - } -} From 9c5183d000e3ef5bd526216a7d14e62869ab0eda Mon Sep 17 00:00:00 2001 From: neutron Date: Thu, 2 Aug 2018 14:04:42 -0400 Subject: [PATCH 2/6] complete refactor --- ...kafka-input.conf => 0002-kafka-input.conf} | 3 +- ...tack-input.conf => 0003-attack-input.conf} | 3 +- helk-logstash/pipeline/0004-beats-input.conf | 11 + helk-logstash/pipeline/0098-all-filter.conf | 19 + ...f => 0099-all-finpgerint-hash-filter.conf} | 1 + .../10-winevent-powershell-filter.conf | 136 --- ...move-winlogbeats-prepend-of-eventdata.conf | 28 + .../pipeline/11-winevent-sysmon-filter.conf | 315 ------- .../pipeline/12-winevent-security-filter.conf | 854 ------------------ ...ck-filter.conf => 1216-attack-filter.conf} | 0 ...-cleanup-no-dashes-only-values-filter.conf | 81 ++ ...nversions-ip-conversions-basic-filter.conf | 181 ++++ ...wercasing-windows-is-case-insensitive.conf | 143 +++ .../pipeline/1531-winevent-sysmon-filter.conf | 286 ++++++ .../1532-winevent-security-filter.conf | 807 +++++++++++++++++ ....conf => 1533-winevent-system-filter.conf} | 29 +- ... => 1534-winevent-application-filter.conf} | 11 +- ... => 1535-winevent-wmiactivity-filter.conf} | 13 +- ...nevent-conversions-process-cli-filter.conf | 42 + .../pipeline/1544-winevent-cleanup-other.conf | 8 + .../2511-winevent-powershell-filter.conf | 207 +++++ ...12-winevent-security-schtasks-filter.conf} | 2 +- .../pipeline/8012-dst-ip-cleanups-filter.conf | 81 ++ .../pipeline/8013-src-ip-cleanups-filter.conf | 81 ++ .../8014-dst-nat-ip-cleanups-filter.conf | 81 ++ .../8015-src-nat-ip-cleanups-filter.conf | 81 ++ .../pipeline/8112-dst-ip-filter.conf | 131 +++ .../pipeline/8113-src-ip-filter.conf | 130 +++ .../pipeline/8114-dst-nat-ip-filter.conf | 131 +++ .../pipeline/8115-src-nat-ip-filter.conf | 131 +++ ....conf => 9950-winevent-sysmon-output.conf} | 4 +- ...onf => 9951-winevent-security-output.conf} | 4 +- ....conf => 9952-winevent-system-output.conf} | 4 +- ... => 9953-winevent-application-output.conf} | 4 +- ...f => 9954-winevent-powershell-output.conf} | 2 +- ... => 9955-winevent-wmiactivity-output.conf} | 4 +- ...ck-output.conf => 9956-attack-output.conf} | 3 + 37 files changed, 2698 insertions(+), 1354 deletions(-) rename helk-logstash/pipeline/{02-kafka-input.conf => 0002-kafka-input.conf} (98%) rename helk-logstash/pipeline/{03-attack-input.conf => 0003-attack-input.conf} (96%) create mode 100644 helk-logstash/pipeline/0004-beats-input.conf create mode 100644 helk-logstash/pipeline/0098-all-filter.conf rename helk-logstash/pipeline/{09-all-filter.conf => 0099-all-finpgerint-hash-filter.conf} (81%) delete mode 100644 helk-logstash/pipeline/10-winevent-powershell-filter.conf create mode 100644 helk-logstash/pipeline/1010-winevent-remove-winlogbeats-prepend-of-eventdata.conf delete mode 100644 helk-logstash/pipeline/11-winevent-sysmon-filter.conf delete mode 100644 helk-logstash/pipeline/12-winevent-security-filter.conf rename helk-logstash/pipeline/{16-attack-filter.conf => 1216-attack-filter.conf} (100%) create mode 100644 helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf create mode 100644 helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf create mode 100644 helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-is-case-insensitive.conf create mode 100644 helk-logstash/pipeline/1531-winevent-sysmon-filter.conf create mode 100644 helk-logstash/pipeline/1532-winevent-security-filter.conf rename helk-logstash/pipeline/{13-winevent-system-filter.conf => 1533-winevent-system-filter.conf} (50%) rename helk-logstash/pipeline/{14-winevent-application-filter.conf => 1534-winevent-application-filter.conf} (61%) rename helk-logstash/pipeline/{15-winevent-wmiactivity-filter.conf => 1535-winevent-wmiactivity-filter.conf} (97%) create mode 100644 helk-logstash/pipeline/1543-winevent-conversions-process-cli-filter.conf create mode 100644 helk-logstash/pipeline/1544-winevent-cleanup-other.conf create mode 100644 helk-logstash/pipeline/2511-winevent-powershell-filter.conf rename helk-logstash/pipeline/{16-winevent-security-schtasks-filter.conf => 2512-winevent-security-schtasks-filter.conf} (97%) create mode 100644 helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf create mode 100644 helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf create mode 100644 helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf create mode 100644 helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf create mode 100644 helk-logstash/pipeline/8112-dst-ip-filter.conf create mode 100644 helk-logstash/pipeline/8113-src-ip-filter.conf create mode 100644 helk-logstash/pipeline/8114-dst-nat-ip-filter.conf create mode 100644 helk-logstash/pipeline/8115-src-nat-ip-filter.conf rename helk-logstash/pipeline/{50-winevent-sysmon-output.conf => 9950-winevent-sysmon-output.conf} (74%) rename helk-logstash/pipeline/{51-winevent-security-output.conf => 9951-winevent-security-output.conf} (73%) rename helk-logstash/pipeline/{52-winevent-system-output.conf => 9952-winevent-system-output.conf} (66%) rename helk-logstash/pipeline/{53-winevent-application-output.conf => 9953-winevent-application-output.conf} (66%) rename helk-logstash/pipeline/{54-winevent-powershell-output.conf => 9954-winevent-powershell-output.conf} (92%) rename helk-logstash/pipeline/{55-winevent-wmiactivity-output.conf => 9955-winevent-wmiactivity-output.conf} (67%) rename helk-logstash/pipeline/{56-attack-output.conf => 9956-attack-output.conf} (78%) diff --git a/helk-logstash/pipeline/02-kafka-input.conf b/helk-logstash/pipeline/0002-kafka-input.conf similarity index 98% rename from helk-logstash/pipeline/02-kafka-input.conf rename to helk-logstash/pipeline/0002-kafka-input.conf index 4bddc082..03cdc229 100644 --- a/helk-logstash/pipeline/02-kafka-input.conf +++ b/helk-logstash/pipeline/0002-kafka-input.conf @@ -4,8 +4,7 @@ # License: GPL-3.0 input { - kafka - { + kafka { bootstrap_servers => "helk-kafka-broker:9092,helk-kafka-broker2:9093" topics => ["winlogbeat"] decorate_events => true diff --git a/helk-logstash/pipeline/03-attack-input.conf b/helk-logstash/pipeline/0003-attack-input.conf similarity index 96% rename from helk-logstash/pipeline/03-attack-input.conf rename to helk-logstash/pipeline/0003-attack-input.conf index b198d520..7ef4ec35 100644 --- a/helk-logstash/pipeline/03-attack-input.conf +++ b/helk-logstash/pipeline/0003-attack-input.conf @@ -5,8 +5,7 @@ # License: GPL-3.0 input { - file - { + file { path => "/usr/share/logstash/cti/mitre_attack.csv" start_position => "beginning" sincedb_path => "/dev/null" diff --git a/helk-logstash/pipeline/0004-beats-input.conf b/helk-logstash/pipeline/0004-beats-input.conf new file mode 100644 index 00000000..be6befcc --- /dev/null +++ b/helk-logstash/pipeline/0004-beats-input.conf @@ -0,0 +1,11 @@ +# HELK Kafka input conf file +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +input { + beats { + port => 5044 + include_codec_tag => false + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/0098-all-filter.conf b/helk-logstash/pipeline/0098-all-filter.conf new file mode 100644 index 00000000..b8dd7c61 --- /dev/null +++ b/helk-logstash/pipeline/0098-all-filter.conf @@ -0,0 +1,19 @@ +# HELK All filter conf file +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [message] { + mutate { + add_field => { + "z_logstash_pipeline" => "0098" + "log_ingest_timestamp" => "%{@timestamp}" + } + copy => { + "message" => "z_original_message" + "type" => "z_logstash_type" + } + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/09-all-filter.conf b/helk-logstash/pipeline/0099-all-finpgerint-hash-filter.conf similarity index 81% rename from helk-logstash/pipeline/09-all-filter.conf rename to helk-logstash/pipeline/0099-all-finpgerint-hash-filter.conf index ff7a48c3..f933ea48 100644 --- a/helk-logstash/pipeline/09-all-filter.conf +++ b/helk-logstash/pipeline/0099-all-finpgerint-hash-filter.conf @@ -5,6 +5,7 @@ filter { if [message] { + mutate { add_field => { "z_logstash_pipeline" => "0099" } } fingerprint { source => "message" target => "[@metadata][log_hash]" diff --git a/helk-logstash/pipeline/10-winevent-powershell-filter.conf b/helk-logstash/pipeline/10-winevent-powershell-filter.conf deleted file mode 100644 index bb97857f..00000000 --- a/helk-logstash/pipeline/10-winevent-powershell-filter.conf +++ /dev/null @@ -1,136 +0,0 @@ -# HELK powershell filter conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -# Reference: -# Nate Guagenti (@neu5ron) https://gist.github.com/neu5ron/450289373db61d5c8d7378e79455ef07#file-511-windows-event-powershell-operational-conf - -filter { - if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell"{ - if [event_id] == 4103 { - mutate { - add_field => [ "PayloadInvocation", "%{[event_data][Payload]}" ] - add_field => [ "PayloadParams", "%{[event_data][Payload]}" ] - gsub => [ - "[event_data][ContextInfo]", " ", "", - "[event_data][ContextInfo]", " = ", "=" - ] - } - mutate { - gsub => [ - "PayloadInvocation", "CommandInvocation\(.*\)", "commandinvocation", - "PayloadInvocation", "ParameterBinding.*\r\n", "", - "PayloadParams", "parameterbinding\(.*\)", "parameterbinding", - "PayloadParams", "CommandInvocation.*\r\n", "", - "[event_data][Payload]", "CommandInvocation.*\r\n", "", - "[event_data][Payload]", "ParameterBinding.*\r\n", "" - ] - rename => { "[event_load][Payload]" => "[powershell][payload]" } - } - kv { - source => "PayloadInvocation" - field_split => "\n" - value_split => ":" - allow_duplicate_values => false - target => "[powershell]" - include_keys => [ "commandinvocation" ] - } - kv { - source => "PayloadParams" - value_split => "=" - allow_duplicate_values => false - target => "[powershell][param]" - include_keys => [ "name", "value" ] - } - kv { - source => "[event_data][ContextInfo]" - field_split => "\r\n" - value_split => "=" - remove_char_key => " " - allow_duplicate_values => false - include_keys => [ "Severity", "HostName", "HostVersion", "HostID", "HostApplication", "EngineVersion", "RunspaceID", "PipelineID", "CommandName", "CommandType", "ScriptName", "CommandPath", "SequenceNumber", "ConnectedUser", "ShellID" ] - } - mutate { - rename => { - "CommandName" => "[powershell][command][name]" - "CommandPath" => "[powershell][command][path]" - "CommandType" => "[powershell][command][type]" - "ConnectedUser" => "[powershell][connected][user]" - "EngineVersion" => "[powershell][engine][version]" - "HostApplication" => "[powershell][host][application]" - "HostID" => "[powershell][host][id]" - "HostName" => "[powershell][host][name]" - "HostVersion" => "[powershell][host][version]" - "PipelineID" => "[powershell][pipeline][id]" - "RunspaceID" => "[powershell][runspace][id]" - "Scriptname" => "[powershell][script][name]" - "SequenceNumber" => "[powershell][sequence][number]" - "ShellID" => "[powershell][shell][id]" - } - remove_field => [ - "Severity", - "EventType", - "Keywords", - "message", - "Opcode", - "PayloadInvocation", - "PayloadParams", - "[event_data][Payload]", - "[event_data][ContextInfo]" - ] - convert => { "[powershell][pipeline][id]" => "integer" } - convert => { "[powershell][sequence][number]" => "integer" } - } - } - if [event_id] == 4104 { - mutate { - rename => { - "[event_data][MessageNumber]" => "[powershell][message][number]" - "[event_data][MessageTotal]" => "[powershell][message][total]" - "[event_data][ScriptBlockId]" => "[powershell][scriptblock][id]" - "[event_data][ScriptBlockText]" => "[powershell][scriptblock][text]" - "[event_data][Path]" => "[powershell][script][path]" - } - remove_field => [ "message" ] - convert => { "[powershell][message][number]" => "integer" } - convert => { "[powershell][message][total]" => "integer" } - convert => { "[powershell][scriptblock][id]" => "integer" } - } - } - if [event_id] == 400 or [event_id] == 600 { - kv { - source => "[event_data][param3]" - field_split => "\n" - value_split => "=" - trim_key => "\t" - allow_duplicate_values => false - } - mutate { - rename => { - "ProviderName" => "[powershell][providername]" - "NewProviderState" => "[powershell][newproviderstate]" - "SequenceNumber" => "[powershell][sequencenumber" - "HostName" => "[powershell][host][name]" - "HostVersion" => "[powershell][host][version]" - "HostId" => "[powershell][host][id]" - "HostApplication" => "[powershell][host][application]" - "EngineVersion" => "[powershell][engine][version]" - "RunspaceId" => "[powershell][runspace][id]" - "PipelineId" => "[powershell][pipeline][id]" - "CommandName" => "[powershell][command][name]" - "CommandType" => "[powershell][command][type]" - "ScriptName" => "[powershell][script][name]" - "CommandPath" => "[powershell][command][path]" - "CommandLine" => "[powershell][command][line]" - "NewEngineState" => "[powershell][newengine][state]" - "PreviousEngineState" => "[powershell][previousengine][state]" - } - remove_field => [ "message" ] - remove_field => "[event_data][param1]" - remove_field => "[event_data][param2]" - remove_field => "[event_data][param3]" - } - } - } -} diff --git a/helk-logstash/pipeline/1010-winevent-remove-winlogbeats-prepend-of-eventdata.conf b/helk-logstash/pipeline/1010-winevent-remove-winlogbeats-prepend-of-eventdata.conf new file mode 100644 index 00000000..bb9d546b --- /dev/null +++ b/helk-logstash/pipeline/1010-winevent-remove-winlogbeats-prepend-of-eventdata.conf @@ -0,0 +1,28 @@ +filter { + # Use the following to get rid of the prepended "event_data" nest that (elastic) winlogbeats adds to windows logs + if [type] == "wineventlog" and [beat] { + ruby { + code => " + eventdata = event.get('event_data') + # Sometimes does not exist, so check that first -- then move the nests + if !eventdata.nil? + eventdata.each {|k, v| + if eventdata.to_s != '(NULL)' + event.set(k, v) + end + } + end + # Finally remove the nest completely + event.remove('event_data') + " + tag_on_exception => "_rubyexception_1010" + #code => " + # event.get('event_data').each {|k, v| + # event.set(k, v) + # } + # event.remove('event_data') + #" + #tag_on_exception => "_rubyexception_1010" + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/11-winevent-sysmon-filter.conf b/helk-logstash/pipeline/11-winevent-sysmon-filter.conf deleted file mode 100644 index bc7c8baf..00000000 --- a/helk-logstash/pipeline/11-winevent-sysmon-filter.conf +++ /dev/null @@ -1,315 +0,0 @@ -# HELK sysmon filter conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -filter { - if [log_name] == "Microsoft-Windows-Sysmon/Operational"{ - mutate { - rename => { - "[user][domain]" => "user_reporter_domain" - "[user][identifier]" => "user_reporter_sid" - "[user][name]" => "user_reporter_name" - "[user][type]" => "user_reporter_type" - "computer_name" => "host_name" - } - } - if [provider_guid] { - mutate { - gsub => ["provider_guid","[{}]",""] - } - } - if [event_data][RuleName] { - kv { - source => "[event_data][RuleName]" - field_split => "," - value_split => "=" - prefix => "mitre_" - transform_key => "lowercase" - } - } - if [event_data][Image] { - if [event_data][Image] =~ /^(\w*$)|^(\w*\..*$)/ { - mutate { - copy => {"[event_data][Image]" => "process_name"} - } - } - else { - grok { - match => { "[event_data][Image]" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - } - mutate { - rename => { - "[event_data][Image]" => "process_path" - "[event_data][ProcessGuid]" => "process_guid" - "[event_data][ProcessId]" => "process_id" - } - gsub => ["process_guid","[{}]",""] - } - } - if [event_data][ParentImage] { - grok { - match => { "[event_data][ParentImage]" => ".*\\%{GREEDYDATA:process_parent_name}" } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - } - if [event_data][Hashes] { - kv { - source => "[event_data][Hashes]" - field_split => "," - value_split => "=" - prefix => "hash_" - transform_key => "lowercase" - } - } - if [event_data][TargetImage] { - grok { - match => { "[event_data][SourceImage]" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - grok { - match => { "[event_data][TargetImage]" => ".*\\%{GREEDYDATA:target_process_name}" } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - mutate { - rename => { - "[event_data][SourceImage]" => "process_path" - "[event_data][SourceProcessGUID]" => "process_guid" - "[event_data][SourceProcessId]" => "process_id" - "[event_data][TargetImage]" => "target_process_path" - "[event_data][TargetProcessGUID]" => "target_process_guid" - "[event_data][TargetProcessId]" => "target_process_id" - } - gsub => ["process_guid","[{}]",""] - gsub => ["target_process_guid","[{}]",""] - } - } - if [event_data][User] { - grok { - match => { "[event_data][User]" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - } - if [event_data][LogonId] { - mutate { rename => { "[event_data][LogonId]" => "user_logon_id" }} - mutate { gsub => [ "user_logon_id", "0x", "" ]} - ruby { - code => " - userlogonid = event.get('user_logon_id') - userlogonid = userlogonid.hex - event.set('user_logon_id', userlogonid) - " - tag_on_exception => "_0591_rubyexception" - } - } - if [event_id] == 1 { - mutate { - add_field => { "action" => "processcreate" } - rename => { - "[event_data][CommandLine]" => "process_command_line" - "[event_data][CurrentDirectory]" => "process_current_directory" - "[event_data][ParentImage]" => "process_parent_path" - "[event_data][ParentCommandLine]" => "process_parent_command_line" - "[event_data][IntegrityLevel]" => "process_integrity_level" - "[event_data][LogonGuid]" => "user_logon_guid" - "[event_data][ParentProcessGuid]" => "process_parent_guid" - "[event_data][ParentProcessId]" => "process_parent_id" - "[event_data][TerminalSessionId]" => "user_session_id" - "[event_data][FileVersion]" => "file_version" - "[event_data][Description]" => "file_description" - "[event_data][Product]" => "file_product" - "[event_data][Company]" => "file_company" - } - gsub => ["process_parent_guid","[{}]",""] - gsub => ["user_logon_guid","[{}]",""] - } - } - if [event_id] == 2 { - mutate { - add_field => { "action" => "filecreatetime" } - rename => { - "[event_data][TargetFileName]" => "file_name" - } - } - } - if [event_id] == 3 { - mutate { - add_field => { "action" => "networkconnect" } - rename => { - "[event_data][DestinationHostname]" => "dst_host_name" - "[event_data][DestinationIp]" => "dst_ip" - "[event_data][DestinationIsIpv6]" => "dst_is_ipv6" - "[event_data][DestinationPort]" => "dst_port" - "[event_data][DestinationPortName]" => "dst_port_name" - "[event_data][Initiated]" => "network_initiated" - "[event_data][Protocol]" => "network_protocol" - "[event_data][SourceHostname]" => "src_host_name" - "[event_data][SourceIp]" => "src_ip" - "[event_data][SourceIsIpv6]" => "src_is_ipv6" - "[event_data][SourcePort]" => "src_port" - "[event_data][SourcePortName]" => "src_port_name" - } - } - geoip { - source => "dst_ip" - remove_field => "[geoip][ip]" - } - } - if [event_id] == 4 { - mutate { - add_field => { "action" => "sysmonservicestatechanged" } - rename => { - "[event_data][State]" => "service_state" - "[event_data][Version]" => "sysmon_version" - "[event_data][SchemaVersion]" => "sysmon_schema_version" - } - } - } - if [event_id] == 6 { - mutate { - add_field => { "action" => "driverload" } - rename => { - "[event_data][ImageLoaded]" => "driver_loaded" - "[event_data][Signature]" => "driver_signature" - "[event_data][SignatureStatus]" => "driver_signature_status" - "[event_data][Signed]" => "driver_signed" - } - } - } - if [event_id] == 7 { - mutate { - add_field => { "action" => "imageload" } - rename => { - "[event_data][ImageLoaded]" => "module_loaded" - "[event_data][Signature]" => "module_signature" - "[event_data][SignatureStatus]" => "module_signature_status" - "[event_data][Signed]" => "module_signed" - } - } - } - if [event_id] == 8 { - mutate { - add_field => { "action" => "createremotethread" } - rename => { - "[event_data][NewThreadId]" => "thread_new_id" - "[event_data][StartAddress]" => "thread_start_address" - "[event_data][StartFunction]" => "thread_start_function" - "[event_data][StartModule]" => "thread_start_module" - } - } - } - if [event_id] == 9 { - mutate { - add_field => { "action" => "rawaccessread" } - rename => { - "[event_data][Device]" => "device_name" - } - } - } - if [event_id] == 10 { - mutate { - add_field => { "action" => "processaccess" } - rename => { - "[event_data][CallTrace]" => "process_call_trace" - "[event_data][GrantedAccess]" => "process_granted_access" - "[event_data][SourceThreadId]" => "thread_id" - } - } - } - if [event_id] == 11 { - mutate { - add_field => { "action" => "filecreate" } - rename => { - "[event_data][TargetFilename]" => "file_name" - } - } - } - if [event_id] == 12 or [event_id] == 13 or [event_id] == 14 { - mutate { - add_field => { "action" => "registryevent" } - rename => { - "[event_data][EventType]" => "event_type" - "[event_data][TargetObject]" => "registry_key_path" - "[event_data][Details]" => "registry_key_value" - } - } - } - if [event_id] == 15 { - mutate { - add_field => { "action" => "filecreatestreamhash" } - rename => { - "[event_data][TargetFilename]" => "file_name" - "[event_data][Hash]" => "hash" - } - } - } - if [event_id] == 16 { - kv { - source => "[event_data][ConfigurationFileHash]" - value_split => "=" - prefix => "sysmon_config_hash_" - transform_key => "lowercase" - } - mutate { - add_field => { "action" => "sysmonconfigstatechanged" } - rename => { - "[event_data][State]" => "sysmon_configuration_state" - "[event_data][Configuration]" => "sysmon_configuration" - } - } - } - if [event_id] == 18 or [event_id] == 17 { - mutate { - add_field => { "action" => "pipeevent" } - rename => { - "[event_data][PipeName]" => "pipe_name" - } - } - } - if [event_id] == 19 or [event_id] == 20 or [event_id] == 21 { - mutate { - add_field => { "action" => "wmievent" } - rename => { - "[event_data][EventType]" => "wmi_event_type" - "[event_data][Operation]" => "wmi_operation" - "[event_data][EventNamespace]" => "wmi_namespace" - "[event_data][Name]" => "wmi_name" - "[event_data][Query]" => "wmi_query" - "[event_data][Type]" => "wmi_type" - "[event_data][Destination]" => "wmi_destination" - } - } - } - date { - timezone => "UTC" - match => [ "[event_data][UtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ] - tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ] - } - date { - timezone => "UTC" - match => [ "[event_data][CreationUtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ] - target => "@date_creation" - tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ] - } - date { - timezone => "UTC" - match => [ "[event_data][PreviousCreationUtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ] - target => "@date_creation_previous" - tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ] - } - mutate { - remove_field => "[event_data]" - remove_field => "message" - remove_field => "[event_data][Hashes]" - remove_field => "[event_data][ConfigurationFileHash]" - remove_field => "[event_data][UtcTime]" - remove_field => "[event_data][CreationUtcTime]" - remove_field => "[event_data][PreviousCreationUtcTime]" - remove_field => "[user]" - rename => { "[event_data][User]" => "user_account"} - } - } -} - diff --git a/helk-logstash/pipeline/12-winevent-security-filter.conf b/helk-logstash/pipeline/12-winevent-security-filter.conf deleted file mode 100644 index 0401e947..00000000 --- a/helk-logstash/pipeline/12-winevent-security-filter.conf +++ /dev/null @@ -1,854 +0,0 @@ -# HELK winevent-security filter conf file -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -filter { - if [log_name] == "Security"{ - if [event_data][ProcessName] { - grok { - match => { - "[event_data][ProcessName]" => ".*\\%{GREEDYDATA:process_name}" - } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - } - if [event_id] == 4611 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4611.md - mutate { - rename => { - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][LogonProcessName]" => "logon_process_name" - } - } - } - if [event_id] == 4616 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4616.md - mutate { - rename => { - "[event_data][NewTime]" => "@date_new_time" - "[event_data][PreviousTime]" => "@date_previous_time" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - } - } - } - if [event_id] == 4624 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4624.md - mutate { - rename => { - "[event_data][SubjectUserSid]" => "user_reporter_sid" - "[event_data][SubjectUserName]" => "user_reporter_name" - "[event_data][SubjectDomainName]" => "user_reporter_domain" - "[event_data][SubjectLogonId]" => "reporter_logon_id" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][TargetLogonId]" => "user_logon_id" - "[event_data][LogonType]" => "logon_type" - "[event_data][RestrictedAdminMode]" => "logon_restricted_adminmode" - "[event_data][VirtualAccount]" => "logon_virtual_account" - "[event_data][ElevatedToken]" => "logon_elevated_token" - "[event_data][TargetUserName]" => "user_name" - "[event_data][TargetDomainName]" => "user_domain" - "[event_data][TargetLinkedLogonId]" => "user_linked_logon_id" - "[event_data][TargetOutboundDomainName]" => "user_network_account_domain" - "[event_data][TargetOutboundUserName]" => "user_network_account_name" - "[event_data][TargetUserSid]" => "user_sid" - "[event_data][ImpersonationLevel]" => "impersonation_level" - "[event_data][LogonGuid]" => "user_logon_guid" - "[event_data][WorkstationName]" => "src_host_name" - "[event_data][IpAddress]" => "src_ip" - "[event_data][IpPort]" => "src_port" - "[event_data][LogonProcessName]" => "logon_process_name" - "[event_data][AuthenticationPackageName]" => "logon_authentication_package_name" - "[event_data][TransmittedServices]" => "logon_transmitted_services" - "[event_data][LmPackageName]" => "logon_package_name" - "[event_data][KeyLength]" => "logon_key_length" - } - } - if "logon_elevated_token" == "Yes"{ - mutate { - add_tag => ["elevated_logon"] - } - } - } - if [event_id] == 4625 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md - mutate { - rename => { - "[event_data][SubjectUserSid]" => "user_reporter_sid" - "[event_data][SubjectUserName]" => "user_reporter_name" - "[event_data][SubjectDomainName]" => "user_reporter_domain" - "[event_data][SubjectLogonId]" => "reporter_logon_id" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][LogonType]" => "logon_type" - "[event_data][TargetUserName]" => "user_name" - "[event_data][TargetDomainName]" => "user_domain" - "[event_data][TargetUserSid]" => "user_sid" - "[event_data][WorkstationName]" => "src_host" - "[event_data][IpAddress]" => "src_ip" - "[event_data][IpPort]" => "src_port" - "[event_data][LogonProcessName]" => "logon_process_name" - "[event_data][AuthenticationPackageName]" => "logon_authentication_package_name" - "[event_data][TransmittedServices]" => "logon_transmitted_services" - "[event_data][LmPackageName]" => "logon_package_name" - "[event_data][KeyLength]" => "logon_key_length" - "[event_data][FailureReason]" => "logon_failure_reason" - "[event_data][Status]" => "logon_failure_status" - "[event_data][SubStatus]" => "logon_failure_substatus" - } - } - if "logon_elevated_token" == "Yes"{ - mutate { - add_tag => ["elevated_logon"] - } - } - } - if [event_id] == 4627 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4627.md - mutate { - rename => { - "[event_data][SubjectUserSid]" => "user_reporter_sid" - "[event_data][SubjectUserName]" => "user_reporter_name" - "[event_data][SubjectDomainName]" => "user_reporter_domain" - "[event_data][SubjectLogonId]" => "reporter_logon_id" - "[event_data][TargetLogonId]" => "user_logon_id" - "[event_data][LogonType]" => "logon_type" - "[event_data][TargetUserName]" => "user_name" - "[event_data][TargetDomainName]" => "user_domain" - "[event_data][TargetUserSid]" => "user_sid" - "[event_data][GroupMembership]" => "user_group_membership" - } - remove_field => "[event_data][EventCountTotal]" - remove_field => "[event_data][EventIdx]" - } - } - if [event_id] == 4634 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4634.md - mutate { - rename => { - "[event_data][LogonType]" => "logon_type" - "[event_data][TargetDomainName]" => "user_domain" - "[event_data][TargetLogonId]" => "user_logon_id" - "[event_data][TargetUserName" => "user_name" - "[event_data][TargetUserSid]" => "user_sid" - } - } - } - if [event_id] == 4647 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4647.md - mutate { - rename => { - "[event_data][TargetDomainName]" => "user_domain" - "[event_data][TargetLogonId]" => "user_logon_id" - "[event_data][TargetUserName" => "user_name" - "[event_data][TargetUserSid]" => "user_sid" - } - } - } - if [event_id] == 4648 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4648.md - mutate { - rename => { - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][LogonGuid]" => "user_logon_guid" - "[event_data][TargetUserName]" => "target_user_name" - "[event_data][TargetDomainName]" => "target_user_domain" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][TargetLogonId]" => "target_user_logon_id" - "[event_data][TargetServerName]" => "service_host_name" - "[event_data][TargetInfo]" => "service_host_info" - "[event_data][TargetLogonGuid]" => "target_user_logon_guid" - "[event_data][IpAddress]" => "src_ip" - "[event_data][IpPort]" => "src_port" - } - } - } - if [event_id] == 4656 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][AccessList]" => "object_access_list_requested" - "[event_data][AccessMask]" => "object_access_mask_requested" - "[event_data][AccessReason]" => "object_access_reason" - "[event_data][ObjectName]" => "object_name" - "[event_data][ObjectServer]" => "object_server" - "[event_data][ObjectType]" => "object_type" - "[event_data][HandleId]" => "object_access_handle_id" - "[event_data][PrivilegeList]" => "object_privilege_list" - "[event_data][TransactionId" => "object_access_transaction_id" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][ResourceAttributes]" => "object_resource_attributes" - "event_data][RestrictedSidCount]" => "object_restricted_sid_count" - } - } - } - if [event_id] == 4657 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ObjectName]" => "object_name" - "[event_data][ObjectValueName]" => "object_value_name" - "[event_data][HandleId]" => "object_access_handle_id" - "[event_data][OperationType]" => "object_operation_type" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][OldValueType]" => "object_value_old_type" - "[event_data][OldValue]" => "object_value_old" - "[event_data][NewValueType]" => "object_value_new_type" - "[event_data][NewValue]" => "object_value_new" - } - } - } - if [event_id] == 4658 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][ObjectServer]" => "object_server" - "[event_data][HandleId]" => "object_access_handle_id" - } - } - } - if [event_id] == 4661 or [event_id] == 4662 or [event_id] == 4663 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4661.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4662.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][Properties]" => "object_properties" - "[event_data][AccessMask]" => "object_access_mask_requested" - "[event_data][HandleId]" => "object_access_handle_id" - "[event_data][ObjectName]" => "object_name" - "[event_data][ObjectServer]" => "object_server" - "[event_data][ObjectType]" => "object_type" - "[event_data][AdditionalInfo2]" => "object_additional_info2" - "[event_data][OperationType]" => "object_operation_type" - "[event_data][AdditionalInfo]" => "object_additional_info" - "[event_data][AccessList]" => "object_access_list_requested" - "[event_data][ResourceAttributes]" => "object_resource_attributes" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][AccessReason]" => "object_access_reason" - "[event_data][PrivilegeList]" => "object_privilege_list" - "[event_data][TransactionId" => "object_access_transaction_id" - "event_data][RestrictedSidCount]" => "object_restricted_sid_count" - } - } - } - if [event_id] == 4670 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4670.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][HandleId]" => "object_access_handle_id" - "[event_data][NewSd]" => "object_new_sddl" - "[event_data][ObjectName]" => "object_name" - "[event_data][ObjectServer]" => "object_server" - "[event_data][ObjectType]" => "object_type" - "[event_data][OldSd]" => "object_old_sddl" - } - } - } - if [event_id] == 4672 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4672.md - mutate { - rename => { - "[event_data][PrivilegeList]" => "logon_privileges_assigned" - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - } - } - } - if [event_id] == 4673 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4673.md - mutate { - rename => { - "[event_data][PrivilegeList]" => "service_privilege_list" - "[event_data][ObjectServer]" => "object_server" - "[event_data][Service]" => "service_name" - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - } - } - } - if [event_id] == 4674 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4674.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][AccessMask]" => "object_access_mask_requested" - "[event_data][HandleId]" => "object_access_handle_id" - "[event_data][ObjectName]" => "object_name" - "[event_data][ObjectServer]" => "object_server" - "[event_data][ObjectType]" => "object_type" - "[event_data][PrivilegeList]" => "object_privilege_list" - } - } - } - if [event_id] == 4688 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4688.md - grok { - match => { "[event_data][NewProcessName]" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - grok { - match => { "[event_data][ParentProcessName]" => ".*\\%{GREEDYDATA:process_parent_name}" } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - mutate { - rename => { - "[event_data][NewProcessId]" => "process_id" - "[event_data][NewProcessName]" => "process_path" - "[event_data][CommandLine]" => "command_line" - "[event_data][ParentProcessName]" => "process_parent_path" - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "user_principal_domain" - "[event_data][TargetUserSid]" => "user_principal_sid" - "[event_data][TargetUserName]" => "user_principal_name" - "[event_data][TargetLogonId]" => "user_principal_id" - "[event_data][MandatoryLabel]" => "process_mandatory_level" - "[event_data][ProcessId]" => "process_parent_id" - "[event_data][TokenElevationType]" => "process_token_elevation_type" - } - } - } - if [event_id] == 4689 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4689.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][Status]" => "process_status" - } - } - } - if [event_id] == 4690 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4690.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][SourceHandleId]" => "process_handle_id" - "[event_data][SourceProcessId]" => "process_id" - "[event_data][TargetHandleId]" => "target_process_handle_id" - "[event_data][TargetProcessId]" => "target_process_id" - } - } - } - if [event_id] == 4697 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4697.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ServiceAccount]" => "service_account_name" - "[event_data][ServiceFileName]" => "service_image_path" - "[event_data][ServiceName]" => "service_name" - "[event_data][ServiceStartType]" => "service_start_type" - "[event_data][ServiceType]" => "service_type" - } - } - } - if [event_id] == 4701 or [event_id] == 4702 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4702.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TaskContentNew]" => "task_new_content" - "[event_data][TaskName]" => "task_name" - } - } - } - if [event_id] == 4703 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4703.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "user_target_domain" - "[event_data][TargetLogonId]" => "user_target_logon_id" - "[event_data][TargetUserSid]" => "user_target_sid" - "[event_data][TargetUserName]" => "user_target_name" - "[event_data][DisabledPrivilegeList]" => "user_target_disabled_privilegelist" - "[event_data][EnabledPrivilegeList]" => "user_target_enabled_privilegelist" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - } - } - } - if [event_id] == 4719 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][AuditPolicyChanges]" => "policy_changes" - "[event_data][CategoryId]" => "policy_category_id" - "[event_data][SubcategoryGuid]" => "policy_subcategory_guid" - "[event_data][SubcategoryId]" => "policy_subcategory_id" - } - } - } - if [event_id] == 4724 or [event_id] == 4725 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4724.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4725.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "user_target_domain" - "[event_data][TargetSid]" => "user_target_sid" - "[event_data][TargetUserName]" => "user_target_name" - } - } - } - if [event_id] == 4726 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4726.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "user_target_domain" - "[event_data][TargetSid]" => "user_target_sid" - "[event_data][TargetUserName]" => "user_target_name" - "[event_data][PrivilegeList]" => "user_privilege_list" - } - } - } - if [event_id] == 4728 or [event_id] == 4729 { - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "group_domain" - "[event_data][TargetSid]" => "group_sid" - "[event_data][TargetUserName]" => "group_name" - "[event_data][MemberName]" => "group_member_name" - "[event_data][MemberSid]" => "group_member_sid" - "[event_data][PrivilegeList]" => "group_privilege_list" - } - } - } - if [event_id] == 4732 or [event_id] == 4733 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4733.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "group_domain" - "[event_data][TargetSid]" => "group_sid" - "[event_data][TargetUserName]" => "group_name" - "[event_data][MemberName]" => "group_member_name" - "[event_data][MemberSid]" => "group_member_sid" - "[event_data][PrivilegeList]" => "group_privilege_list" - } - } - } - if [event_id] == 4738 or [event_id] == 4720 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4738.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "user_target_domain" - "[event_data][TargetSid]" => "user_target_sid" - "[event_data][TargetUserName]" => "user_target_name" - "[event_data][AccountExpires]" => "user_attribute_account_expires" - "[event_data][AllowedToDelegateTo]" => "user_attribute_allowed_todelegate" - "[event_data][DisplayName]" => "user_attribute_display_name" - "[event_data][Dummy]" => "user_attribute_dummy" - "[event_data][HomeDirectory]" => "user_attribute_home_directory" - "[event_data][HomePath]" => "user_attribute_home_path" - "[event_data][LogonHours]" => "user_attribute_logon_hours" - "[event_data][NewUacValue]" => "user_attribute_new_uacvalue" - "[event_data][OldUacValue]" => "user_attribute_old_uacvalue" - "[event_data][PasswordLastSet]" => "user_attribute_password_lastset" - "[event_data][PrimaryGroupId]" => "[user_attribute_primary_group_id" - "[event_data][PrivilegeList]" => "user_attribute_privilege_list" - "[event_data][ProfilePath]" => "user_attribute_profile_path" - "[event_data][SamAccountName]" => "user_attribute_samaccount_name" - "[event_data][ScriptPath]" => "user_attribute_script_path" - "[event_data][SidHistory]" => "user_attribute_sid_history" - } - } - } - if [event_id] == 4768 or [event_id] == 4769 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md - mutate { - rename => { - "[event_data][TargetDomainName]" => "user_domain" - "[event_data][TargetUserName]" => "user_name" - "[event_data][IpAddress]" => "src_ip" - "[event_data][IpPort]" => "src_port" - "[event_data][PreAuthType]" => "service_ticket_preauthtype" - "[event_data][LogonGuid]" => "user_logon_guid" - "[event_data][ServiceName]" => "service_ticket_name" - "[event_data][ServiceSid]" => "service_ticket_id" - "[event_data][Status]" => "service_ticket_status" - "[event_data][TicketEncryptionType]" => "ticket_encryption_type" - "[event_data][TicketOptions]" => "ticket_options" - "[event_data][FailureCode]" => "ticket_failure_code" - "[event_data][TransmittedServices]" => "service_ticket_requested" - "[event_data][TargetSid]" => "user_sid" - } - } - } - if [event_id] == 4797 { - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "service_enumerated_domain" - "[event_data][TargetUserName]" => "service_enumerated_name" - "[event_data][Workstation]" => "host_name" - } - } - } - if [event_id] == 4798 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4798.md - mutate { - rename => { - "[event_data][CallerProcessId]" => "process_id" - "[event_data][CallerProcessName]" => "process_path" - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "user_domain_enumerated" - "[event_data][TargetSid]" => "user_sid_enumerated" - "[event_data][TargetUserName]" => "user_name_enumerated" - } - } - } - if [event_id] == 4799 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4799.md - mutate { - rename => { - "[event_data][CallerProcessId]" => "process_id" - "[event_data][CallerProcessName]" => "process_path" - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][TargetDomainName]" => "group_domain_enumerated" - "[event_data][TargetSid]" => "group_sid_enumerated" - "[event_data][TargetUserName]" => "group_name_enumerated" - } - } - } - if [event_id] == 4800 or [event_id] == 4801 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4800.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4801.md - mutate { - rename => { - - "[event_data][TargetDomainName]" => "user_domain" - "[event_data][TargetUserSid]" => "user_sid" - "[event_data][TargetUserName]" => "user_name" - "[event_data][TargetLogonId]" => "user_logon_id" - "[event_data][SessionId]" => "user_session_id" - } - } - } - if [event_id] == 4907 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4907.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProcessName]" => "process_path" - "[event_data][HandleId]" => "object_access_handle_id" - "[event_data][NewSd]" => "object_new_sddl" - "[event_data][ObjectName]" => "object_name" - "[event_data][ObjectServer]" => "object_server" - "[event_data][ObjectType]" => "object_type" - "[event_data][OldSd]" => "object_old_sddl" - } - } - } - if [event_id] == 4957 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4957.md - mutate { - rename => { - "[event_data][RuleAttr]" => "firewall_rule_attr" - "[event_data][RuleId]" => "firewall_rule_id" - "[event_data][RuleName]" => "firewall_rule_name" - } - } - } - if [event_id] == 5058 or [event_id] == 5059 or [event_id] == 5061 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5058.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5059.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5061.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][AlgorithmName]" => "key_algorithm_name" - "[event_data][KeyName]" => "key_name" - "[event_data][KeyType]" => "key_type" - "[event_data][Operation]" => "key_operation" - "[event_data][ProviderName" => "key_provider_name" - "[event_data][ReturnCode]" => "key_return_code" - } - } - } - if [event_id] == 5136 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5136.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][OpCorrelationID]" => "dsoperation_correlation_id" - "[event_data][AppCorrelationID]" => "dsoperation_app_correlation_id" - "[event_data][DSName]" => "dsobject_domain" - "[event_data][DSType]" => "dsobject_domain_type" - "[event_data][ObjectDN]" => "dsobject_dn" - "[event_data][ObjectGUID]" => "dsobject_guid" - "[event_data][ObjectClass]" => "dsobject_class" - "[event_data][AttributeLDAPDisplayName]" => "dsobject_attribute_name" - "[event_data][AttributeSyntaxOID]" => "dsobject_attribute_type" - "[event_data][AttributeValue]" => "dsobject_attribute_value" - "[event_data][OperationType]" => "dsoperation_type" - } - } - } - if [event_id] == 5140 or [event_id] == 5145 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5140.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5145.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][AccessList]" => "object_access_list_requested" - "[event_data][AccessMask]" => "object_access_mask_requested" - "[event_data][AccessReason]" => "user_access_reason" - "[event_data][IpAddress]" => "src_ip" - "[event_data][IpPort]" => "src_port" - "[event_data][ObjectType]" => "object_type" - "[event_data][RelativeTargetName]" => "share_relative_target_name" - "[event_data][ShareLocalPath]" => "share_local_path" - "[event_data][ShareName]" => "share_name" - } - } - } - if [event_id] == 5152 or [event_id] == 5154 or [event_id] == 5156 or [event_id] == 5158 or [event_id] == 5157 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5152.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5154.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5156.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5157.md - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5158.md - grok { - match => { - "[event_data][Application]" => ".*\\%{GREEDYDATA:process_name}" - } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] - } - mutate { - rename => { - "[event_data][Application]" => "process_path" - "[event_data][DestAddress]" => "dst_ip" - "[event_data][DestPort]" => "dst_port" - "[event_data][Direction]" => "network_direction" - "[event_data][FilterRTID]" => "network_filter_rtid" - "[event_data][LayerName]" => "network_layer_name" - "[event_data][LayerRTID]" => "network_layer_rtid" - "[event_data][ProcessID]" => "process_id" - "[event_data][Protocol]" => "network_protocol" - "[event_data][RemoteMachineID]" => "dst_host_name_id" - "[event_data][RemoteUserID]" => "dst_user_id" - "[event_data][SourceAddress]" => "src_ip" - "[event_data][SourcePort]" => "src_port" - "[event_data][ProcessId]" => "process_id" - } - } - } - if [event_id] == 5447 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5447.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][AccessList]" => "object_access_list_requested" - "[event_data][AccessMask]" => "object_access_mask_requested" - "[event_data][AccessReason]" => "user_access_reason" - "[event_data][IpAddress]" => "src_ip" - "[event_data][IpPort]" => "src_port" - "[event_data][ObjectType]" => "object_type" - "[event_data][RelativeTargetName]" => "share_relative_target_name" - "[event_data][ShareLocalPath]" => "share_local_path" - "[event_data][ShareName]" => "share_name" - "[event_data][Action]" => "filtering_action" - "[event_data][CalloutKey]" => "filtering_callout_key" - "[event_data][CalloutName]" => "filtering_callout_name" - "[event_data][ChangeType]" => "filtering_change_type" - "[event_data][Conditions]" => "filtering_conditions" - "[event_data][FilterId]" => "filtering_id" - "[event_data][FilterKey]" => "filtering_key" - "[event_data][FilterName]" => "filtering_name" - "[event_data][FilterType]" => "filtering_type" - "[event_data][LayerId]" => "filtering_layer_id" - "[event_data][LayerKey]" => "filtering_layer_key" - "[event_data][LayerName]" => "filtering_layer_name" - "[event_data][ProcessId]" => "process_id" - "[event_data][ProviderKey]" => "filtering_provider_key" - "[event_data][ProviderName" => "filtering_provider_name" - "[event_data][UserName]" => "user_name" - "[event_data][UserSid]" => "user_sid" - "[event_data][Weight]" => "filtering_weight" - } - } - } - if [event_id] == 6416 { - # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-6416.md - mutate { - rename => { - "[event_data][SubjectDomainName]" => "user_domain" - "[event_data][SubjectLogonId]" => "user_logon_id" - "[event_data][SubjectUserName]" => "user_name" - "[event_data][SubjectUserSid]" => "user_sid" - "[event_data][ClassId]" => "device_class_id" - "[event_data][ClassName]" => "device_class_name" - "[event_data][CompatibleIds]" => "device_compatible_ids" - "[event_data][DeviceDescription]" => "device_description" - "[event_data][DeviceId]" => "device_id" - "[event_data][LocationInformation]" => "device_location_information" - "[event_data][VendorIds]" => "device_vendor_ids" - } - } - } - mutate { - convert => { - "src_port" => "integer" - "dst_port" => "integer" - } - rename => { - "computer_name" => "host_name" - } - gsub => ["user_logon_guid","[{}]",""] - gsub => ["target_user_logon_guid","[{}]",""] - } - if [user_logon_id] { - mutate { gsub => [ "user_logon_id", "0x", "" ]} - ruby { - code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)" - tag_on_exception => "_0591_rubyexception" - } - } - if [process_id] { - mutate { gsub => [ "process_id", "0x", "" ]} - ruby { - code => "event.set('process_id', event.get('process_id').to_s.hex)" - tag_on_exception => "_0591_rubyexception" - } - } - if [process_parent_id] { - mutate { gsub => [ "process_parent_id", "0x", "" ]} - ruby { - code => "event.set('process_parent_id', event.get('process_parent_id').to_s.hex)" - tag_on_exception => "_0591_rubyexception" - } - } - if [target_process_id] { - mutate { gsub => [ "target_process_id", "0x", "" ]} - ruby { - code => "event.set('target_process_id', event.get('target_process_id').to_s.hex)" - tag_on_exception => "_0591_rubyexception" - } - } - } -} - diff --git a/helk-logstash/pipeline/16-attack-filter.conf b/helk-logstash/pipeline/1216-attack-filter.conf similarity index 100% rename from helk-logstash/pipeline/16-attack-filter.conf rename to helk-logstash/pipeline/1216-attack-filter.conf diff --git a/helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf b/helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf new file mode 100644 index 00000000..b97d363c --- /dev/null +++ b/helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf @@ -0,0 +1,81 @@ +filter { + if [event_id] { + mutate { add_field => { "z_logstash_pipeline" => "1500" } } + + # Remove specific keys/fields that have "-"/dash has the only value values + # Command Line will be done later on in pipeline because it is all sorts of random fields especially when we custom parse some event IDs + # #TONOTE:Prune does not work on nested fields, so we are moving this into the beginning of Windows logs pipeline + prune { + blacklist_values => [ + "AccessList", "^\-$", + "AccessReason", "^\-$", + "AccountExpires", "^\-$", + "AccountName", "^\-$", + "AdditionalInfo", "^\-$", + "Address", "^\-$", + "AppCorrelationID", "^\-$", + "CallerProcessName", "^\-$", + "ClientAddress", "^\-$", + "ClientIP", "^\-$", + "ClientIPAddress", "^\-$", + "CompatibleIds", "^\-$", + "ComputerAccountChange", "^\-$", + "ConnectedViaIPAddress", "^\-$", + "DCIPAddress", "^\-$", + "DestinationIp", "^\-$", + "DisplayName", "^\-$", + "DnsHostName", "^\-$", + "Domain", "^\-$", + "Dummy", "^\-$", + "HomeDirectory", "^\-$", + "HomePath", "^\-$", + "Identity", "^\-$", + "ipAddress", "^\-$", + "IpAddress", "^\-$", + "IPAddress", "^\-$", + "IpPort", "^\-$", + "IPString", "^\-$", + "LaunchedViaIPAddress", "^\-$", + "LmPackageName", "^\-$", + "LocationInformation", "^\-$", + "LogonGuid", "^\-$", + "LogonHours", "^\-$", + "NewUacValue", "^\-$", + "ObjectName", "^\-$", + "ObjectType", "^\-$", + "OldUacValue", "^\-$", + "PasswordLastSet", "^\-$", + "PreAuthType", "^\-$", + "PrimaryGroupId", "^\-$", + "PrivilegeList", "^\-$", + "ProcessName", "^\-$", + "ProfilePath", "^\-$", + "RestrictedAdminMode", "^\-$", + "SamAccountName", "^\-$", + "ScriptPath", "^\-$", + "ServerIpAddress", "^\-$", + "Service", "^\-$", + "ServicePrincipalNames", "^\-$", + "SourceIp", "^\-$", + "SidHistory", "^\-$", + "SidList", "^\-$", + "SubjectDomainName", "^\-$", + "SubjectUserName", "^\-$", + "SubjectUserSid", "^\-$", + "TargetDomainName", "^\-$", + "TargetOutboundDomainName", "^\-$", + "TargetOutboundUserName", "^\-$", + "TargetUserName", "^\-$", + "TargetUserSid", "^\-$", + "TraceMessage", "^\-$", + "TransmittedServices", "^\-$", + "UserAccountControl", "^\-$", + "UserID", "^\-$", + "UserParameters", "^\-$", + "UserPrincipalName", "^\-$", + "UserWorkstations", "^\-$", + "WorkstationName", "^\-$" + ] + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf b/helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf new file mode 100644 index 00000000..9d81b4db --- /dev/null +++ b/helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf @@ -0,0 +1,181 @@ +filter { + # Use this to determine if windows event log or not (for now, until we are properly marking all windows log types as something like "log_type: winevent") + if [event_id] { + mutate { add_field => { "z_logstash_pipeline" => "1521" } } + + # Since Sysmon may be the most common EventIDs with IPs lets do that first. This will contain source and destination IPs. + # Seen in the following EventIDs (not necessarily exhaustive) + # Microsoft-Windows-Sysmon/Operational:3 + # Parse "SourceIp" field and then afterwards if it exists then the DestinationIp should exist as well (see note above) + if [SourceIp] { + if [SourceIsIpv6] == 'false' { + mutate { + rename => { "SourceIp" => "src_ip_addr" } + remove_field => [ "SourceIsIpv6" ] + } + } + else { + mutate { + rename => { "SourceIp" => "ipv6_src_addr" } + remove_field => [ "SourceIsIpv6" ] + } + } + # Parse "DestinationIp" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Microsoft-Windows-Sysmon/Operational:3 + if [DestinationIp] { + if [DestinationIsIpv6] == 'false' { + mutate { + rename => { "DestinationIp" => "dst_ip_addr" } + remove_field => [ "DestinationIsIpv6" ] + } + } + else { + mutate { + rename => { "DestinationIp" => "ipv6_dst_addr" } + remove_field => [ "DestinationIsIpv6" ] + } + } + } + } + + # If not Sysmon IP field try all the rest of the possible IP fields as of 2018-03-19 and going through 3,000 Windows EventIDs + else { + + #### Parse all other possible Source IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements + # Parse "IpAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Security:4624, Security:4625, Security:4648, Security:4770, Security:4771, Security:4768, Security:4769, Security:5140, Security:5145 + if [IpAddress] { + if [IpAddress] =~ "^\d{1,3}\." { + mutate { rename => { "IpAddress" => "src_ip_addr" } } + } + else { + # First try to match IPv6 & IPv4 combined + # Last try IPv6 only + grok { + match => { + "IpAddress" => + [ + "%{IPV6:ipv6_src_addr} %{IPV4:src_ip_addr}", + "%{IPV6:ipv6_src_addr}" + ] + } + keep_empty_captures => false + named_captures_only => true + tag_on_failure => [ "_IpAddress_grokparsefailure", "_grokparsefailure", "_parsefailure", "_windows_ip_parsefailure" ] + tag_on_timeout => "_groktimeout" + # Timeout .250 seconds + timeout_millis => 250 + remove_field => [ "IpAddress" ] + } + } + } + + # Parse "SourceAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Security:5152,5154,5156,5157,5158 + else if [SourceAddress] { + mutate { rename => { "SourceAddress" => "src_ip_addr" } } + } + + # Parse "ClientAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Security:4778,4779 + else if [ClientAddress] { + mutate { rename => { "ClientAddress" => "src_ip_addr" } } + } + + # Parse "ClientIPAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Citrix-XenDesktop-BrokerMonitor/Operational:4,5,44,45 + else if [ClientIPAddress] { + mutate { rename => { "ClientIPAddress" => "src_ip_addr" } } + } + + # Parse "ClientIP" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:131 + else if [ClientIP] { + # First lets substitute any characters that have been seen that would cause bad parsing/values + mutate { gsub => [ "ClientIP", "[\[\]]", "" ] } + if [ClientIP] =~ "^\d{1,3}\." { + dissect { + mapping => { "ClientIP" => "%{src_ip_addr}:%{port_src}" } + tag_on_failure => [ "_dissectfailure", "_parsefailure" ] + remove_field => [ "ClientIP" ] + } + } + } + + # Parse "IPString" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:139,140 + else if [IPString] { + mutate { rename => { "IPString" => "src_ip_addr" } } + } + #### ^ DONE w/ All Src IP parsing #### + + + #### Parse all other possible Destination IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements + # Parse "DestAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Application:1039 SourceName Citrix Broker Service + if [DestAddress] { + mutate { rename => { "DestAddress" => "dst_ip_addr" } } + } + + # Parse "LaunchedViaIPAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Citrix-XenDesktop-BrokerMonitor/Operational:4,5,44,45 + else if [LaunchedViaIPAddress] { + mutate { rename => { "LaunchedViaIPAddress" => "dst_ip_addr" } } + } + + # Parse "MachineIpAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Citrix-XenDesktop-BrokerMonitor/Operational:10 + else if [MachineIpAddress] { + mutate { rename => { "MachineIpAddress" => "dst_ip_addr" } } + } + + # Parse "ipAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Application:1039 SourceName Citrix Broker Service + else if [ipAddress] { + mutate { rename => { "ipAddress" => "dst_ip_addr" } } + } + + # Parse "Value" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Microsoft-Windows-TerminalServices-RDPClient/Operational:1102,1024 + # Only perform on the above EIDs because otherwise it may be values that are incomprehensible + else if [Value] and [wef][channel] == "Microsoft-Windows-TerminalServices-RDPClient/Operational" { + if [wef.eid] == 1102 { + mutate { rename => { "Value" => "dst_ip_addr" } } + } + else if [wef.eid] == 1024 { + mutate { rename => { "Value" => "dst_ip_addr" } } + } + } + # Parse "TargetServer" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Security:5378 + else if [TargetServer] { + mutate { gsub => [ "TargetServer", "TERMSRV\/", "" ] } + mutate { rename => { "TargetServer" => "dst_ip_addr" } } + } + #### ^ DONE w/ All Dst IP parsing #### + + + #### Parse all possible Destination NAT IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements + # Parse "ConnectedViaIPAddress" field + # Seen in the following EventIDs (not necessarily exhaustive) + # Citrix-XenDesktop-BrokerMonitor/Operational:4,44 + if [ConnectedViaIPAddress] { + mutate { rename => { "ConnectedViaIPAddress" => "dst_nat_ip_addr" } } + } + #### ^ DONE w/ All Dst NAT IP parsing #### + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-is-case-insensitive.conf b/helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-is-case-insensitive.conf new file mode 100644 index 00000000..d5f385f6 --- /dev/null +++ b/helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-is-case-insensitive.conf @@ -0,0 +1,143 @@ +filter { + if [event_id] { + mutate { add_field => { "z_logstash_pipeline" => "1522" } } + + mutate { + lowercase => [ + "AccountDistinguishedName", + "AccountName", + "ActionName", + "AllowedToDelegateTo", + "ApplicationPath", + "AttributeLDAPDisplayName", + "AuthenticationPackageName", + "CACommonName", + "CallerProcessName", + "CalloutName", + "ClientName", + "ClientUserName", + "Command Name", + "CommandName", + "CommandPath", + "ConnectionName", + "CorruptedFilePath", + "CrashedAppName", + "CurrentDirectory", + "DCDomainName", + "DestinationHostname", + "DestinationPortName", + "DeviceName", + "DfsPath", + "DisplayName", + "displayName", + "DnsHostName", + "Domain", + "DriveName", + "DSName", + "DSObjectName", + "ExtensibleModulePath", + "FileName", + "Filename", + "FilePath", + "GPODisplayName", + "GPOFileSystemPath", + "GPOName", + "GroupName", + "HiveName", + "HomeDirectory", + "HomePath", + "HostName", + "Host Name", + "HostOSName", + "Host OS Name", + "HostOSservicepackName", + "Host OS service pack Name", + "HostNameChanged", + "ImageName", + "ImagePath", + "InstancePath", + "KeepPropertyCanonicalName", + "KeyName", + "Key Name", + "KeyName", + "KeyFilePath", + "LocalPath", + "LogonProcessName", + "MachineName", + "MappedName", + "MemberName", + "NAME", + "NameServer", + "NamespaceName", + "NetworkName", + "NewProcessName", + "NewTargetUserName", + "ObjectName", + "OldTargetUserName", + "OldTargetUserName", + "ParentProcessName", + "Path", + "PortName", + "PrincipalCNName", + "PrincipalDomainName", + "PrincipalSamName", + "Process Name", + "ProcessName", + "ProdessName", + "ProcessPath", + "processPath", + "ProfilePath", + "QNAME", + "QueryName", + "RelativeTargetName", + "SamAccountName", + "Script Name", + "ScriptName", + "ScriptPath", + "SecurityPackageName", + "ServerName", + "serverName", + "ServiceFileName", + "ServiceName", + "ServicePrincipalNames", + "SessionName", + "ShareName", + "ShareLocalPath", + "SnapshotPath", + "SourceHostname", + "SourcePortName", + "StateName", + "SubjectDomainName", + "SubjectUserDomainName", + "SubjectUserName", + "SwitchFName", + "TargetDomainName", + "TargetFilename", + "Targetname", + "TargetOutboundDomainName", + "TargetOutboundUserName", + "TargetProcessName", + "TargetRealm", + "TargetServerName", + "TargetUserName", + "TargetUserName", + "TaskName", + "TransportProtocolName", + "UncPath", + "User", + "user", + "UserName", + "Username", + "userName", + "username", + "UserPrincipalName", + "VhdFileName", + "VolumeName", + "wmiClassName", + "Workstation", + "WorkstationName", + "XPath" + ] + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf b/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf new file mode 100644 index 00000000..96f86bfe --- /dev/null +++ b/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf @@ -0,0 +1,286 @@ +# HELK sysmon filter conf file +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [log_name] == "Microsoft-Windows-Sysmon/Operational"{ + mutate { add_field => { "z_logstash_pipeline" => "1531" } } + mutate { + rename => { + "[user][domain]" => "user_reporter_domain" + "[user][identifier]" => "user_reporter_sid" + "[user][name]" => "user_reporter_name" + "[user][type]" => "user_reporter_type" + "computer_name" => "host_name" + } + } + if [provider_guid] { + mutate { gsub => [ "provider_guid", "[{}]", "" ] } + } + if [RuleName] { + kv { + source => "RuleName" + field_split => "," + value_split => "=" + prefix => "mitre_" + transform_key => "lowercase" + } + } + if [Image] { + if [Image] =~ /^(\w*$)|^(\w*\..*$)/ { + mutate { copy => {"Image" => "process_name"} } + } + else { + grok { + match => { "Image" => ".*\\%{GREEDYDATA:process_name}" } + tag_on_failure => [ "_Image__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + mutate { + rename => { + "Image" => "process_path" + "ProcessGuid" => "process_guid" + "ProcessId" => "process_id" + } + gsub => [ "process_guid", "[{}]", "" ] + } + } + if [ParentImage] { + grok { + match => { "ParentImage" => ".*\\%{GREEDYDATA:process_parent_name}" } + tag_on_failure => [ "_ParentImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + if [Hashes] { + kv { + source => "Hashes" + field_split => "," + value_split => "=" + prefix => "hash_" + transform_key => "lowercase" + } + } + if [TargetImage] { + grok { + match => { "SourceImage" => ".*\\%{GREEDYDATA:process_name}" } + tag_on_failure => [ "_SourceImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + grok { + match => { "TargetImage" => ".*\\%{GREEDYDATA:target_process_name}" } + tag_on_failure => [ "_TargetImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + mutate { + rename => { + "SourceImage" => "process_path" + "SourceProcessGUID" => "process_guid" + "SourceProcessId" => "process_id" + "TargetImage" => "target_process_path" + "TargetProcessGUID" => "target_process_guid" + "TargetProcessId" => "target_process_id" + } + gsub => [ + "process_guid", "[{}]", "", + "target_process_guid", "[{}]", "" + ] + } + } + if [User] { + grok { + match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } + tag_on_failure => [ "_User__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + if [event_id] == 1 { + mutate { + add_field => { "action" => "processcreate" } + rename => { + "CommandLine" => "process_command_line" + "CurrentDirectory" => "process_current_directory" + "ParentImage" => "process_parent_path" + "ParentCommandLine" => "process_parent_command_line" + "IntegrityLevel" => "process_integrity_level" + "LogonGuid" => "user_logon_guid" + "ParentProcessGuid" => "process_parent_guid" + "ParentProcessId" => "process_parent_id" + "TerminalSessionId" => "user_session_id" + "FileVersion" => "file_version" + "Description" => "file_description" + "Product" => "file_product" + "Company" => "file_company" + } + gsub => [ "process_parent_guid", "[{}]", "" ] + } + } + if [event_id] == 2 { + mutate { + add_field => { "action" => "filecreatetime" } + rename => { "TargetFileName" => "file_name" } + } + } + if [event_id] == 3 { + mutate { + add_field => { "action" => "networkconnect" } + rename => { + "DestinationHostname" => "dst_host_name" + "DestinationPort" => "dst_port" + "DestinationPortName" => "dst_port_name" + "Initiated" => "network_initiated" + "Protocol" => "network_protocol" + "SourceHostname" => "src_host_name" + "SourcePort" => "src_port" + "SourcePortName" => "src_port_name" + } + } + } + if [event_id] == 4 { + mutate { + add_field => { "action" => "sysmonservicestatechanged" } + rename => { + "State" => "service_state" + "Version" => "sysmon_version" + "SchemaVersion" => "sysmon_schema_version" + } + } + } + if [event_id] == 6 { + mutate { + add_field => { "action" => "driverload" } + rename => { + "ImageLoaded" => "driver_loaded" + "Signature" => "driver_signature" + "SignatureStatus" => "driver_signature_status" + "Signed" => "driver_signed" + } + } + } + if [event_id] == 7 { + mutate { + add_field => { "action" => "imageload" } + rename => { + "ImageLoaded" => "module_loaded" + "Signature" => "module_signature" + "SignatureStatus" => "module_signature_status" + "Signed" => "module_signed" + } + } + } + if [event_id] == 8 { + mutate { + add_field => { "action" => "createremotethread" } + rename => { + "NewThreadId" => "thread_new_id" + "StartAddress" => "thread_start_address" + "StartFunction" => "thread_start_function" + "StartModule" => "thread_start_module" + } + } + } + if [event_id] == 9 { + mutate { + add_field => { "action" => "rawaccessread" } + rename => { "Device" => "device_name" } + } + } + if [event_id] == 10 { + mutate { + add_field => { "action" => "processaccess" } + rename => { + "CallTrace" => "process_call_trace" + "GrantedAccess" => "process_granted_access" + "SourceThreadId" => "thread_id" + } + } + } + if [event_id] == 11 { + mutate { + add_field => { "action" => "filecreate" } + rename => { "TargetFilename" => "file_name" } + } + } + if [event_id] == 12 or [event_id] == 13 or [event_id] == 14 { + mutate { + add_field => { "action" => "registryevent" } + rename => { + "EventType" => "event_type" + "TargetObject" => "registry_key_path" + "Details" => "registry_key_value" + } + } + } + if [event_id] == 15 { + mutate { + add_field => { "action" => "filecreatestreamhash" } + rename => { + "TargetFilename" => "file_name" + "Hash" => "hash" + } + } + } + if [event_id] == 16 { + kv { + source => "ConfigurationFileHash" + value_split => "=" + prefix => "sysmon_config_hash_" + transform_key => "lowercase" + } + mutate { + add_field => { "action" => "sysmonconfigstatechanged" } + rename => { + "State" => "sysmon_configuration_state" + "Configuration" => "sysmon_configuration" + } + } + } + if [event_id] == 18 or [event_id] == 17 { + mutate { + add_field => { "action" => "pipeevent" } + rename => { "PipeName" => "pipe_name" } + } + } + if [event_id] == 19 or [event_id] == 20 or [event_id] == 21 { + mutate { + add_field => { "action" => "wmievent" } + rename => { + "EventType" => "wmi_event_type" + "Operation" => "wmi_operation" + "EventNamespace" => "wmi_namespace" + "Name" => "wmi_name" + "Query" => "wmi_query" + "Type" => "wmi_type" + "Destination" => "wmi_destination" + } + } + } + date { + timezone => "UTC" + match => [ "UtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] + tag_on_failure => [ "_sysmon_UtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + } + date { + timezone => "UTC" + match => [ "CreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] + target => "@date_creation" + tag_on_failure => [ "_sysmon_CreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + } + date { + timezone => "UTC" + match => [ "PreviousCreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] + target => "@date_creation_previous" + tag_on_failure => [ "_sysmon_PreviousCreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + } + mutate { + rename => { "User" => "user_account"} + remove_field => [ + "message", + "Hashes", + "ConfigurationFileHash", + "UtcTime", + "CreationUtcTime", + "PreviousCreationUtcTime", + "[user]" + ] + } + } +} + diff --git a/helk-logstash/pipeline/1532-winevent-security-filter.conf b/helk-logstash/pipeline/1532-winevent-security-filter.conf new file mode 100644 index 00000000..55cd5e29 --- /dev/null +++ b/helk-logstash/pipeline/1532-winevent-security-filter.conf @@ -0,0 +1,807 @@ +# HELK winevent-security filter conf file +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [log_name] == "Security"{ + mutate { add_field => { "z_logstash_pipeline" => "1532" } } + if [ProcessName] { + grok { + match => { "ProcessName" => ".*\\%{GREEDYDATA:process_name}" } + tag_on_failure => [ "_ProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + if [event_id] == 4611 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4611.md + mutate { + rename => { + "SubjectUserSid" => "user_sid" + "SubjectUserName" => "user_name" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "LogonProcessName" => "logon_process_name" + } + } + } + if [event_id] == 4616 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4616.md + mutate { + rename => { + "NewTime" => "@date_new_time" + "PreviousTime" => "@date_previous_time" + "SubjectUserSid" => "user_sid" + "SubjectUserName" => "user_name" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + } + } + } + if [event_id] == 4624 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4624.md + mutate { + rename => { + "SubjectUserSid" => "user_reporter_sid" + "SubjectUserName" => "user_reporter_name" + "SubjectDomainName" => "user_reporter_domain" + "SubjectLogonId" => "reporter_logon_id" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "TargetLogonId" => "user_logon_id" + "LogonType" => "logon_type" + "RestrictedAdminMode" => "logon_restricted_adminmode" + "VirtualAccount" => "logon_virtual_account" + "ElevatedToken" => "logon_elevated_token" + "TargetUserName" => "user_name" + "TargetDomainName" => "user_domain" + "TargetLinkedLogonId" => "user_linked_logon_id" + "TargetOutboundDomainName" => "user_network_account_domain" + "TargetOutboundUserName" => "user_network_account_name" + "TargetUserSid" => "user_sid" + "ImpersonationLevel" => "impersonation_level" + "LogonGuid" => "user_logon_guid" + "WorkstationName" => "src_host_name" + "IpPort" => "src_port" + "LogonProcessName" => "logon_process_name" + "AuthenticationPackageName" => "logon_authentication_package_name" + "TransmittedServices" => "logon_transmitted_services" + "LmPackageName" => "logon_package_name" + "KeyLength" => "logon_key_length" + } + } + if "logon_elevated_token" == "Yes"{ + mutate { add_tag => ["elevated_logon"] } + } + } + if [event_id] == 4625 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md + mutate { + rename => { + "SubjectUserSid" => "user_reporter_sid" + "SubjectUserName" => "user_reporter_name" + "SubjectDomainName" => "user_reporter_domain" + "SubjectLogonId" => "reporter_logon_id" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "LogonType" => "logon_type" + "TargetUserName" => "user_name" + "TargetDomainName" => "user_domain" + "TargetUserSid" => "user_sid" + "WorkstationName" => "src_host" + "IpPort" => "src_port" + "LogonProcessName" => "logon_process_name" + "AuthenticationPackageName" => "logon_authentication_package_name" + "TransmittedServices" => "logon_transmitted_services" + "LmPackageName" => "logon_package_name" + "KeyLength" => "logon_key_length" + "FailureReason" => "logon_failure_reason" + "Status" => "logon_failure_status" + "SubStatus" => "logon_failure_substatus" + } + } + if "logon_elevated_token" == "Yes"{ + mutate { add_tag => ["elevated_logon"] } + } + } + if [event_id] == 4627 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4627.md + mutate { + rename => { + "SubjectUserSid" => "user_reporter_sid" + "SubjectUserName" => "user_reporter_name" + "SubjectDomainName" => "user_reporter_domain" + "SubjectLogonId" => "reporter_logon_id" + "TargetLogonId" => "user_logon_id" + "LogonType" => "logon_type" + "TargetUserName" => "user_name" + "TargetDomainName" => "user_domain" + "TargetUserSid" => "user_sid" + "GroupMembership" => "user_group_membership" + } + remove_field => [ + "EventCountTotal", + "EventIdx" + ] + } + } + if [event_id] == 4634 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4634.md + mutate { + rename => { + "LogonType" => "logon_type" + "TargetDomainName" => "user_domain" + "TargetLogonId" => "user_logon_id" + "TargetUserName" => "user_name" + "TargetUserSid" => "user_sid" + } + } + } + if [event_id] == 4647 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4647.md + mutate { + rename => { + "TargetDomainName" => "user_domain" + "TargetLogonId" => "user_logon_id" + "TargetUserName" => "user_name" + "TargetUserSid" => "user_sid" + } + } + } + if [event_id] == 4648 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4648.md + mutate { + rename => { + "SubjectUserSid" => "user_sid" + "SubjectUserName" => "user_name" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "LogonGuid" => "user_logon_guid" + "TargetUserName" => "target_user_name" + "TargetDomainName" => "target_user_domain" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "TargetLogonId" => "target_user_logon_id" + "TargetServerName" => "service_host_name" + "TargetInfo" => "service_host_info" + "TargetLogonGuid" => "target_user_logon_guid" + "IpPort" => "src_port" + } + gsub => [ "target_user_logon_guid", "[{}]", "" ] + } + } + if [event_id] == 4656 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "AccessList" => "object_access_list_requested" + "AccessMask" => "object_access_mask_requested" + "AccessReason" => "object_access_reason" + "ObjectName" => "object_name" + "ObjectServer" => "object_server" + "ObjectType" => "object_type" + "HandleId" => "object_access_handle_id" + "PrivilegeList" => "object_privilege_list" + "TransactionId" => "object_access_transaction_id" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "ResourceAttributes" => "object_resource_attributes" + "RestrictedSidCount" => "object_restricted_sid_count" + } + } + } + if [event_id] == 4657 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ObjectName" => "object_name" + "ObjectValueName" => "object_value_name" + "HandleId" => "object_access_handle_id" + "OperationType" => "object_operation_type" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "OldValueType" => "object_value_old_type" + "OldValue" => "object_value_old" + "NewValueType" => "object_value_new_type" + "NewValue" => "object_value_new" + } + } + } + if [event_id] == 4658 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "ObjectServer" => "object_server" + "HandleId" => "object_access_handle_id" + } + } + } + if [event_id] == 4661 or [event_id] == 4662 or [event_id] == 4663 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4661.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4662.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "Properties" => "object_properties" + "AccessMask" => "object_access_mask_requested" + "HandleId" => "object_access_handle_id" + "ObjectName" => "object_name" + "ObjectServer" => "object_server" + "ObjectType" => "object_type" + "AdditionalInfo2" => "object_additional_info2" + "OperationType" => "object_operation_type" + "AdditionalInfo" => "object_additional_info" + "AccessList" => "object_access_list_requested" + "ResourceAttributes" => "object_resource_attributes" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "AccessReason" => "object_access_reason" + "PrivilegeList" => "object_privilege_list" + "TransactionId" => "object_access_transaction_id" + "RestrictedSidCount" => "object_restricted_sid_count" + } + } + } + if [event_id] == 4670 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4670.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "HandleId" => "object_access_handle_id" + "NewSd" => "object_new_sddl" + "ObjectName" => "object_name" + "ObjectServer" => "object_server" + "ObjectType" => "object_type" + "OldSd" => "object_old_sddl" + } + } + } + if [event_id] == 4672 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4672.md + mutate { + rename => { + "PrivilegeList" => "logon_privileges_assigned" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + } + } + } + if [event_id] == 4673 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4673.md + mutate { + rename => { + "PrivilegeList" => "service_privilege_list" + "ObjectServer" => "object_server" + "Service" => "service_name" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + } + } + } + if [event_id] == 4674 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4674.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "AccessMask" => "object_access_mask_requested" + "HandleId" => "object_access_handle_id" + "ObjectName" => "object_name" + "ObjectServer" => "object_server" + "ObjectType" => "object_type" + "PrivilegeList" => "object_privilege_list" + } + } + } + if [event_id] == 4688 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4688.md + grok { + match => { "NewProcessName" => ".*\\%{GREEDYDATA:process_name}" } + tag_on_failure => [ "_NewProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + if [ParentProcessName] { + grok { + match => { "ParentProcessName" => ".*\\%{GREEDYDATA:process_parent_name}" } + tag_on_failure => [ "_ParentProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + mutate { + rename => { + "NewProcessId" => "process_id" + "NewProcessName" => "process_path" + "CommandLine" => "command_line" + "ParentProcessName" => "process_parent_path" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "user_principal_domain" + "TargetUserSid" => "user_principal_sid" + "TargetUserName" => "user_principal_name" + "TargetLogonId" => "user_principal_id" + "MandatoryLabel" => "process_mandatory_level" + "ProcessId" => "process_parent_id" + "TokenElevationType" => "process_token_elevation_type" + } + } + } + if [event_id] == 4689 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4689.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "Status" => "process_status" + } + } + } + if [event_id] == 4690 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4690.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "SourceHandleId" => "process_handle_id" + "SourceProcessId" => "process_id" + "TargetHandleId" => "target_process_handle_id" + "TargetProcessId" => "target_process_id" + } + } + } + if [event_id] == 4697 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4697.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ServiceAccount" => "service_account_name" + "ServiceFileName" => "service_image_path" + "ServiceName" => "service_name" + "ServiceStartType" => "service_start_type" + "ServiceType" => "service_type" + } + } + } + if [event_id] == 4701 or [event_id] == 4702 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4702.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TaskContentNew" => "task_new_content" + "TaskName" => "task_name" + } + } + } + if [event_id] == 4703 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4703.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "user_target_domain" + "TargetLogonId" => "user_target_logon_id" + "TargetUserSid" => "user_target_sid" + "TargetUserName" => "user_target_name" + "DisabledPrivilegeList" => "user_target_disabled_privilegelist" + "EnabledPrivilegeList" => "user_target_enabled_privilegelist" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + } + } + } + if [event_id] == 4719 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "AuditPolicyChanges" => "policy_changes" + "CategoryId" => "policy_category_id" + "SubcategoryGuid" => "policy_subcategory_guid" + "SubcategoryId" => "policy_subcategory_id" + } + } + } + if [event_id] == 4724 or [event_id] == 4725 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4724.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4725.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "user_target_domain" + "TargetSid" => "user_target_sid" + "TargetUserName" => "user_target_name" + } + } + } + if [event_id] == 4726 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4726.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "user_target_domain" + "TargetSid" => "user_target_sid" + "TargetUserName" => "user_target_name" + "PrivilegeList" => "user_privilege_list" + } + } + } + if [event_id] == 4728 or [event_id] == 4729 { + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "group_domain" + "TargetSid" => "group_sid" + "TargetUserName" => "group_name" + "MemberName" => "group_member_name" + "MemberSid" => "group_member_sid" + "PrivilegeList" => "group_privilege_list" + } + } + } + if [event_id] == 4732 or [event_id] == 4733 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4733.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "group_domain" + "TargetSid" => "group_sid" + "TargetUserName" => "group_name" + "MemberName" => "group_member_name" + "MemberSid" => "group_member_sid" + "PrivilegeList" => "group_privilege_list" + } + } + } + if [event_id] == 4738 or [event_id] == 4720 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4738.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "user_target_domain" + "TargetSid" => "user_target_sid" + "TargetUserName" => "user_target_name" + "AccountExpires" => "user_attribute_account_expires" + "AllowedToDelegateTo" => "user_attribute_allowed_todelegate" + "DisplayName" => "user_attribute_display_name" + "Dummy" => "user_attribute_dummy" + "HomeDirectory" => "user_attribute_home_directory" + "HomePath" => "user_attribute_home_path" + "LogonHours" => "user_attribute_logon_hours" + "NewUacValue" => "user_attribute_new_uacvalue" + "OldUacValue" => "user_attribute_old_uacvalue" + "PasswordLastSet" => "user_attribute_password_lastset" + "PrimaryGroupId" => "[user_attribute_primary_group_id" + "PrivilegeList" => "user_attribute_privilege_list" + "ProfilePath" => "user_attribute_profile_path" + "SamAccountName" => "user_attribute_samaccount_name" + "ScriptPath" => "user_attribute_script_path" + "SidHistory" => "user_attribute_sid_history" + } + } + } + if [event_id] == 4768 or [event_id] == 4769 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md + mutate { + rename => { + "TargetDomainName" => "user_domain" + "TargetUserName" => "user_name" + "IpPort" => "src_port" + "PreAuthType" => "service_ticket_preauthtype" + "LogonGuid" => "user_logon_guid" + "ServiceName" => "service_ticket_name" + "ServiceSid" => "service_ticket_id" + "Status" => "service_ticket_status" + "TicketEncryptionType" => "ticket_encryption_type" + "TicketOptions" => "ticket_options" + "FailureCode" => "ticket_failure_code" + "TransmittedServices" => "service_ticket_requested" + "TargetSid" => "user_sid" + } + } + } + if [event_id] == 4797 { + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "service_enumerated_domain" + "TargetUserName" => "service_enumerated_name" + "Workstation" => "host_name" + } + } + } + if [event_id] == 4798 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4798.md + mutate { + rename => { + "CallerProcessId" => "process_id" + "CallerProcessName" => "process_path" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "user_domain_enumerated" + "TargetSid" => "user_sid_enumerated" + "TargetUserName" => "user_name_enumerated" + } + } + } + if [event_id] == 4799 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4799.md + mutate { + rename => { + "CallerProcessId" => "process_id" + "CallerProcessName" => "process_path" + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "TargetDomainName" => "group_domain_enumerated" + "TargetSid" => "group_sid_enumerated" + "TargetUserName" => "group_name_enumerated" + } + } + } + if [event_id] == 4800 or [event_id] == 4801 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4800.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4801.md + mutate { + rename => { + "TargetDomainName" => "user_domain" + "TargetUserSid" => "user_sid" + "TargetUserName" => "user_name" + "TargetLogonId" => "user_logon_id" + "SessionId" => "user_session_id" + } + } + } + if [event_id] == 4907 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4907.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ProcessId" => "process_id" + "ProcessName" => "process_path" + "HandleId" => "object_access_handle_id" + "NewSd" => "object_new_sddl" + "ObjectName" => "object_name" + "ObjectServer" => "object_server" + "ObjectType" => "object_type" + "OldSd" => "object_old_sddl" + } + } + } + if [event_id] == 4957 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4957.md + mutate { + rename => { + "RuleAttr" => "firewall_rule_attr" + "RuleId" => "firewall_rule_id" + "RuleName" => "firewall_rule_name" + } + } + } + if [event_id] == 5058 or [event_id] == 5059 or [event_id] == 5061 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5058.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5059.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5061.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "AlgorithmName" => "key_algorithm_name" + "KeyName" => "key_name" + "KeyType" => "key_type" + "Operation" => "key_operation" + "ProviderName" => "key_provider_name" + "ReturnCode" => "key_return_code" + } + } + } + if [event_id] == 5136 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5136.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "OpCorrelationID" => "dsoperation_correlation_id" + "AppCorrelationID" => "dsoperation_app_correlation_id" + "DSName" => "dsobject_domain" + "DSType" => "dsobject_domain_type" + "ObjectDN" => "dsobject_dn" + "ObjectGUID" => "dsobject_guid" + "ObjectClass" => "dsobject_class" + "AttributeLDAPDisplayName" => "dsobject_attribute_name" + "AttributeSyntaxOID" => "dsobject_attribute_type" + "AttributeValue" => "dsobject_attribute_value" + "OperationType" => "dsoperation_type" + } + } + } + if [event_id] == 5140 or [event_id] == 5145 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5140.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5145.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "AccessList" => "object_access_list_requested" + "AccessMask" => "object_access_mask_requested" + "AccessReason" => "user_access_reason" + "IpPort" => "src_port" + "ObjectType" => "object_type" + "RelativeTargetName" => "share_relative_target_name" + "ShareLocalPath" => "share_local_path" + "ShareName" => "share_name" + } + } + } + if [event_id] == 5152 or [event_id] == 5154 or [event_id] == 5156 or [event_id] == 5158 or [event_id] == 5157 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5152.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5154.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5156.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5157.md + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5158.md + grok { + match => { + "Application" => ".*\\%{GREEDYDATA:process_name}" + } + tag_on_failure => [ "_Application_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + mutate { + rename => { + "Application" => "process_path" + "DestPort" => "dst_port" + "Direction" => "network_direction" + "FilterRTID" => "network_filter_rtid" + "LayerName" => "network_layer_name" + "LayerRTID" => "network_layer_rtid" + "ProcessID" => "process_id" + "Protocol" => "network_protocol" + "RemoteMachineID" => "dst_host_name_id" + "RemoteUserID" => "dst_user_id" + "SourcePort" => "src_port" + "ProcessId" => "process_id" + } + } + } + if [event_id] == 5447 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5447.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "AccessList" => "object_access_list_requested" + "AccessMask" => "object_access_mask_requested" + "AccessReason" => "user_access_reason" + "IpPort" => "src_port" + "ObjectType" => "object_type" + "RelativeTargetName" => "share_relative_target_name" + "ShareLocalPath" => "share_local_path" + "ShareName" => "share_name" + "Action" => "filtering_action" + "CalloutKey" => "filtering_callout_key" + "CalloutName" => "filtering_callout_name" + "ChangeType" => "filtering_change_type" + "Conditions" => "filtering_conditions" + "FilterId" => "filtering_id" + "FilterKey" => "filtering_key" + "FilterName" => "filtering_name" + "FilterType" => "filtering_type" + "LayerId" => "filtering_layer_id" + "LayerKey" => "filtering_layer_key" + "LayerName" => "filtering_layer_name" + "ProcessId" => "process_id" + "ProviderKey" => "filtering_provider_key" + "ProviderName" => "filtering_provider_name" + "UserName" => "user_name" + "UserSid" => "user_sid" + "Weight" => "filtering_weight" + } + } + } + if [event_id] == 6416 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-6416.md + mutate { + rename => { + "SubjectDomainName" => "user_domain" + "SubjectLogonId" => "user_logon_id" + "SubjectUserName" => "user_name" + "SubjectUserSid" => "user_sid" + "ClassId" => "device_class_id" + "ClassName" => "device_class_name" + "CompatibleIds" => "device_compatible_ids" + "DeviceDescription" => "device_description" + "DeviceId" => "device_id" + "LocationInformation" => "device_location_information" + "VendorIds" => "device_vendor_ids" + } + } + } + mutate { rename => { "computer_name" => "host_name" } } + } +} + diff --git a/helk-logstash/pipeline/13-winevent-system-filter.conf b/helk-logstash/pipeline/1533-winevent-system-filter.conf similarity index 50% rename from helk-logstash/pipeline/13-winevent-system-filter.conf rename to helk-logstash/pipeline/1533-winevent-system-filter.conf index f64c9e59..0bc5a302 100644 --- a/helk-logstash/pipeline/13-winevent-system-filter.conf +++ b/helk-logstash/pipeline/1533-winevent-system-filter.conf @@ -5,29 +5,32 @@ filter { if [log_name] == "System" { + mutate { add_field => { "z_logstash_pipeline" => "1533" } } if [event_id] == 7045 { # https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for_11.html mutate { rename => { - "[event_data][AccountName]" => "service_account_name" - "[event_data][ImagePath]" => "service_image_path" - "[event_data][ServiceName]" => "service_name" - "[event_data][ServiceType]" => "service_type" - "[event_data][StartType]" => "service_start_type" + "AccountName" => "service_account_name" + "ImagePath" => "service_image_path" + "ServiceName" => "service_name" + "ServiceType" => "service_type" + "StartType" => "service_start_type" } - add_tag => ["new_service"] - remove_field => ["message"] - remove_field => "host" - remove_field => "process_id" + add_tag => [ "new_service" ] + remove_field => [ + "message", + "host", + "process_id" + ] } } if [event_id] == 16 { mutate { rename => { - "[event_data][HiveName]" => "hive_name" - "[event_data][HiveNameLength]" => "hive_name_length" - "[event_data][KeysUpdated]" => "hive_keys_updated" - "[event_data][DirtyPages]" => "hive_dirty_pages" + "HiveName" => "hive_name" + "HiveNameLength" => "hive_name_length" + "KeysUpdated" => "hive_keys_updated" + "DirtyPages" => "hive_dirty_pages" } } } diff --git a/helk-logstash/pipeline/14-winevent-application-filter.conf b/helk-logstash/pipeline/1534-winevent-application-filter.conf similarity index 61% rename from helk-logstash/pipeline/14-winevent-application-filter.conf rename to helk-logstash/pipeline/1534-winevent-application-filter.conf index 32de1bc4..1e12b477 100644 --- a/helk-logstash/pipeline/14-winevent-application-filter.conf +++ b/helk-logstash/pipeline/1534-winevent-application-filter.conf @@ -6,19 +6,16 @@ filter { if [log_name] == "Application"{ if [source_name] == "Microsoft-Windows-Security-SPP"{ + mutate { add_field => { "z_logstash_pipeline" => "1534" } } if [event_id] == 16384 { mutate { rename => { - "[event_data][param1]" => "spp_restart_scheduled" - "[event_data][param2]" => "spp_restart_reason" + "param1" => "spp_restart_scheduled" + "param2" => "spp_restart_reason" } } } } - mutate { - rename => { - "computer_name" => "host_name" - } - } + mutate { rename => { "computer_name" => "host_name" } } } } \ No newline at end of file diff --git a/helk-logstash/pipeline/15-winevent-wmiactivity-filter.conf b/helk-logstash/pipeline/1535-winevent-wmiactivity-filter.conf similarity index 97% rename from helk-logstash/pipeline/15-winevent-wmiactivity-filter.conf rename to helk-logstash/pipeline/1535-winevent-wmiactivity-filter.conf index 44c3a024..c9b9ec5a 100644 --- a/helk-logstash/pipeline/15-winevent-wmiactivity-filter.conf +++ b/helk-logstash/pipeline/1535-winevent-wmiactivity-filter.conf @@ -5,6 +5,7 @@ filter { if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{ + mutate { add_field => { "z_logstash_pipeline" => "1535" } } mutate { rename => { "[user][domain]" => "user_reporter_domain" @@ -14,10 +15,10 @@ filter { "computer_name" => "host_name" } } - if [event_data][User] { + if [User] { grok { - match => { "[event_data][User]" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } - tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] + match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } + tag_on_failure => [ "_User_grokparsefailure", "_grokparsefailure", "_parsefailure" ] } } @@ -236,11 +237,7 @@ filter { } # Common to all events - mutate { - convert => { - "process_id" => "integer" - } - } + mutate { convert => { "process_id" => "integer" } } } } diff --git a/helk-logstash/pipeline/1543-winevent-conversions-process-cli-filter.conf b/helk-logstash/pipeline/1543-winevent-conversions-process-cli-filter.conf new file mode 100644 index 00000000..4774eb99 --- /dev/null +++ b/helk-logstash/pipeline/1543-winevent-conversions-process-cli-filter.conf @@ -0,0 +1,42 @@ +filter { + + if [event_id] { + + if [user_logon_id] { + mutate { add_field => { "z_logstash_pipeline" => "1543_1" } } + mutate { gsub => [ "user_logon_id", "0x", "" ]} + ruby { + code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)" + tag_on_exception => "_rubyexception_1543_1" + } + } + if [process_id] { + mutate { add_field => { "z_logstash_pipeline" => "1543_2" } } + mutate { gsub => [ "process_id", "0x", "" ]} + ruby { + code => "event.set('process_id', event.get('process_id').to_s.hex)" + tag_on_exception => "_rubyexception_1543_2" + } + } + if [process_parent_id] { + mutate { add_field => { "z_logstash_pipeline" => "1543_3" } } + mutate { gsub => [ "process_parent_id", "0x", "" ]} + ruby { + code => "event.set('process_parent_id', event.get('process_parent_id').to_s.hex)" + tag_on_exception => "_rubyexception_1543_3" + } + } + if [target_process_id] { + mutate { add_field => { "z_logstash_pipeline" => "1543_4" } } + mutate { gsub => [ "target_process_id", "0x", "" ]} + ruby { + code => "event.set('target_process_id', event.get('target_process_id').to_s.hex)" + tag_on_exception => "_rubyexception_1543_4" + } + } + if [ProdessName] { + mutate { rename => { "ProdessName" => "ProcessName" } } + } + + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/1544-winevent-cleanup-other.conf b/helk-logstash/pipeline/1544-winevent-cleanup-other.conf new file mode 100644 index 00000000..e139e488 --- /dev/null +++ b/helk-logstash/pipeline/1544-winevent-cleanup-other.conf @@ -0,0 +1,8 @@ +filter { + if [event_id] { + if [user_logon_guid] { + mutate { add_field => { "z_logstash_pipeline" => "1544" } } + mutate { gsub => [ "user_logon_guid", "[{}]", "" ] } + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/2511-winevent-powershell-filter.conf b/helk-logstash/pipeline/2511-winevent-powershell-filter.conf new file mode 100644 index 00000000..5ecc5ad2 --- /dev/null +++ b/helk-logstash/pipeline/2511-winevent-powershell-filter.conf @@ -0,0 +1,207 @@ +# HELK powershell filter conf file +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +# Reference: +# Nate Guagenti (@neu5ron) https://gist.github.com/neu5ron/450289373db61d5c8d7378e79455ef07#file-511-windows-event-powershell-operational-conf + +filter { + if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell" { + if [event_id] == 4103 { + mutate { add_field => { "z_logstash_pipeline" => "2511_1" } } + mutate { + add_field => { + "PayloadInvocation" => "%{Payload}" + "PayloadParams" => "%{Payload}" + } + gsub => [ + "ContextInfo", " ", "", + "ContextInfo", " = ", "=" + ] + } + kv { + source => "ContextInfo" + field_split => "\r\n" + value_split => "=" + remove_char_key => " " + allow_duplicate_values => false + include_keys => [ + "Severity", + "HostName", + "HostVersion", + "HostID", + "HostApplication", + "EngineVersion", + "RunspaceID", + "PipelineID", + "CommandName", + "CommandType", + "ScriptName", + "CommandPath", + "SequenceNumber", + "ConnectedUser", + "ShellID" + ] + } + mutate { + gsub => [ + "PayloadInvocation", "CommandInvocation\(.*\)", "CommandInvocation", + "PayloadInvocation", "ParameterBinding.*\r\n", "", + "PayloadParams", "CommandInvocation.*\r\n", "", + "PayloadParams", "ParameterBinding\(\S+\): ", "|||SPLITMEHEHE|||", + "Payload", "CommandInvocation.*\r\n", "", + "Payload", "ParameterBinding.*\r\n", "" + ] + } + kv { + source => "PayloadInvocation" + field_split => "\n" + value_split => ":" + allow_duplicate_values => false + target => "[powershell]" + include_keys => [ "CommandInvocation" ] + } + ruby { + code => " + params_split = event.get('PayloadParams').split('|||SPLITMEHEHE|||') + params_split = params_split.drop(1) + params_split_length = params_split.length + all_names = Array.new + all_values = Array.new + all_values_non_alphanumeric = Array.new + all_contains_net = Array.new + all_ascii_only = Array.new + + for param in params_split + slice_and_dice = param.index('; value=') + param_name = param.slice(6..slice_and_dice-2) + param_value = param.slice(param.index('value=')..-1)[6..-1] + param_value = param_value.strip + param_value[0] = '' + param_value[-1] = '' + value_non_alphanumeric = param_value.gsub(/[A-Za-z0-9\s]+/i, '') + value_lowercased = param_value.downcase + if !param_value.nil? + all_values.push(param_value) + all_values_non_alphanumeric.push(value_non_alphanumeric) + end + if !param_name.nil? + all_names.push(param_name) + end + end + all_names = all_names.uniq + all_values = all_values.uniq + all_values_non_alphanumeric = all_values_non_alphanumeric.uniq + event.set('[powershell][param][name]', all_names) + event.set('[powershell][param][value]', all_values) + event.set('[powershell][param][value_nonalphanumeric]', all_values_non_alphanumeric) + " + tag_on_exception => "_rubyexception_2511_1" + } + prune { blacklist_values => [ "Payload", "^$" ] } + mutate { + rename => { + "CommandName" => "[powershell][command][name]" + "CommandPath" => "[powershell][command][path]" + "CommandType" => "[powershell][command][type]" + "ConnectedUser" => "[powershell][connected_user]" + "EngineVersion" => "[powershell][engine_version]" + "HostApplication" => "[powershell][host][application]" + "HostID" => "[powershell][host][id]" + "HostName" => "[powershell][host][name]" + "HostVersion" => "[powershell][host][version]" + "PipelineID" => "[powershell][pipeline_id]" + "RunspaceID" => "[powershell][runspace_id]" + "Scriptname" => "[powershell][script][name]" + "SequenceNumber" => "[powershell][sequence_number]" + "ShellID" => "[powershell][shell_id]" + "Payload" => "[powershell][remaining_payload]" + } + remove_field => [ + "Severity", + "EventType", + "Keywords", + "message", + "Opcode", + "PayloadInvocation", + "PayloadParams", + "Payload", + "ContextInfo" + ] + convert => { + "[powershell][pipeline_id]" => "integer" + "[powershell][sequence_number]" => "integer" + } + } + } + if [event_id] == 4104 { + mutate { add_field => { "z_logstash_pipeline" => "2511_2" } } + if [ScriptBlockText] { + mutate { remove_field => [ "message" ] } + } + else { + # Lets use GSUB to make sure we can get things to split on / make it easier more efficient to split on + grok { + match => { + "message" => "^Creating Scriptblock text \(%{INT:MessageNumber} of %{INT:MessageTotal}\):\r\n%{GREEDYDATA:ScriptBlockText}\r\n\r\nScriptBlock ID: %{UUID:ScriptBlockId}\r\nPath: %{DATA:Path}$" + } + break_on_match => true + keep_empty_captures => false + named_captures_only => true + # Sometimes the ScriptBlockText literally could be empty, so you may see this in _grokparesfailure and would then cause a ruby failure below. + tag_on_failure => [ "_grokparsefailure", "_parsefailure" ] + tag_on_timeout => "_groktimeout" + # Timeout 1.5 seconds + timeout_millis => 1500 + remove_field => [ "message" ] + } + } + mutate { + rename => { + "MessageNumber" => "[powershell][scriptblock][message_number]" + "MessageTotal" => "[powershell][scriptblock][message_total]" + "ScriptBlockId" => "[powershell][scriptblock][id]" + "ScriptBlockText" => "[powershell][scriptblock][text]" + "Path" => "[powershell][script][path]" + } + } + } + if [event_id] == 400 or [event_id] == 600 { + kv { + source => "param3" + field_split => "\n" + value_split => "=" + trim_key => "\t" + allow_duplicate_values => false + } + mutate { + rename => { + "ProviderName" => "[powershell][providername]" + "NewProviderState" => "[powershell][newproviderstate]" + "SequenceNumber" => "[powershell][sequence_number]" + "HostName" => "[powershell][host][name]" + "HostVersion" => "[powershell][host][version]" + "HostId" => "[powershell][host][id]" + "HostApplication" => "[powershell][host][application]" + "EngineVersion" => "[powershell][engine_version]" + "RunspaceId" => "[powershell][runspace_id]" + "PipelineId" => "[powershell][pipeline_id]" + "CommandName" => "[powershell][command][name]" + "CommandType" => "[powershell][command][type]" + "ScriptName" => "[powershell][script][name]" + "CommandPath" => "[powershell][command][path]" + "CommandLine" => "[powershell][command][line]" + "NewEngineState" => "[powershell][newengine_state]" + "PreviousEngineState" => "[powershell][previousengine_state]" + } + remove_field => [ + "message", + "param1", + "param2", + "param3" + ] + } + } + } +} diff --git a/helk-logstash/pipeline/16-winevent-security-schtasks-filter.conf b/helk-logstash/pipeline/2512-winevent-security-schtasks-filter.conf similarity index 97% rename from helk-logstash/pipeline/16-winevent-security-schtasks-filter.conf rename to helk-logstash/pipeline/2512-winevent-security-schtasks-filter.conf index 0dd72d05..9eec12af 100644 --- a/helk-logstash/pipeline/16-winevent-security-schtasks-filter.conf +++ b/helk-logstash/pipeline/2512-winevent-security-schtasks-filter.conf @@ -6,7 +6,7 @@ filter { if [log_name] == "Security" { # event_id 4698 for Created Scheduled Task if [event_id] == 4698 { - mutate { add_field => { "z_logstash_pipeline" => "0511" } } + mutate { add_field => { "z_logstash_pipeline" => "2512" } } # Copy Message field incase we bork/mess it up mutate { copy => { "Message" => "deleteme" } } # #TONOTE: encoding is UTF-16 diff --git a/helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf b/helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf new file mode 100644 index 00000000..cef874c3 --- /dev/null +++ b/helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf @@ -0,0 +1,81 @@ +filter { + #TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security" + + if [dst_ip_addr] { + # Add pipeline field + mutate { add_field => { "z_logstash_pipeline" => "8012" } } + ruby { + code => " + temp_ip_addresses = event.get('dst_ip_addr') + ip_addresses = Array.new + + # Determine if the IP field is an array if not make it an array + if temp_ip_addresses.is_a? Enumerable + ip_addresses = temp_ip_addresses.uniq + else + ip_addresses.push(temp_ip_addresses) + end + + clean_ip_addresses_v4 = Array.new + clean_ip_addresses_v6 = Array.new + not_ip_addresses = Array.new + + ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/ + + for ip_address in ip_addresses + #### General Cleanup + # Remove ending '.' + ip_address = ip_address.chomp + # Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster + ip_address = ip_address.reverse.chomp('.').reverse + # Remove ending or beginning whitespace + ip_address = ip_address.lstrip.rstrip + # Remove things that would make an IP a share but we want the IP :) + ip_address = ip_address.gsub(/^\\:?/, '') + # Downcase/lowercase for checking if possible ipv6 + ip_address = ip_address.downcase + + # Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7 + ip_address_length = ip_address.length + if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only? + # Remove any preceeding zeroes in each octet + temp_ip = Array.new + ip_address.split('.').each do |octet| + octet = octet.to_i.to_s + temp_ip.push(octet) + end + ip_address = temp_ip.join('.') + clean_ip_addresses_v4.push(ip_address) + + # Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2 + elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only? + if ipv6_regex === ip_address + clean_ip_addresses_v6.push(ip_address) + else + not_ip_addresses.push(ip_address) + end + else + not_ip_addresses.push(ip_address) + end + end + + # Set the new IP addresses + if !clean_ip_addresses_v4.empty? + event.set('dst_ip_addr', clean_ip_addresses_v4) + # Set the number of ip addresses so we can use array or non array later in pipeline + event.set('temp_number_of_ipv4_dst_addresses', clean_ip_addresses_v4.length) + else + event.remove('dst_ip_addr') + end + if !clean_ip_addresses_v6.empty? + event.set('ipv6_dst_addr', clean_ip_addresses_v6) + #TODO:eventually set ipv6 number of ip addresses + end + if !not_ip_addresses.empty? + event.set('not_ip_dst', not_ip_addresses) + end + " + tag_on_exception => "_rubyexception_8012" + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf b/helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf new file mode 100644 index 00000000..21253a9b --- /dev/null +++ b/helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf @@ -0,0 +1,81 @@ +filter { + #TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security" + + if [src_ip_addr] { + # Add pipeline field + mutate { add_field => { "z_logstash_pipeline" => "8013" } } + ruby { + code => " + temp_ip_addresses = event.get('src_ip_addr') + ip_addresses = Array.new + + # Determine if the IP field is an array if not make it an array + if temp_ip_addresses.is_a? Enumerable + ip_addresses = temp_ip_addresses.uniq + else + ip_addresses.push(temp_ip_addresses) + end + + clean_ip_addresses_v4 = Array.new + clean_ip_addresses_v6 = Array.new + not_ip_addresses = Array.new + + ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/ + + for ip_address in ip_addresses + #### General Cleanup + # Remove ending '.' + ip_address = ip_address.chomp + # Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster + ip_address = ip_address.reverse.chomp('.').reverse + # Remove ending or beginning whitespace + ip_address = ip_address.lstrip.rstrip + # Remove things that would make an IP a share but we want the IP :) + ip_address = ip_address.gsub(/^\\:?/, '') + # Downcase/lowercase for checking if possible ipv6 + ip_address = ip_address.downcase + + # Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7 + ip_address_length = ip_address.length + if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only? + # Remove any preceeding zeroes in each octet + temp_ip = Array.new + ip_address.split('.').each do |octet| + octet = octet.to_i.to_s + temp_ip.push(octet) + end + ip_address = temp_ip.join('.') + clean_ip_addresses_v4.push(ip_address) + + # Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2 + elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only? + if ipv6_regex === ip_address + clean_ip_addresses_v6.push(ip_address) + else + not_ip_addresses.push(ip_address) + end + else + not_ip_addresses.push(ip_address) + end + end + + # Set the new IP addresses + if !clean_ip_addresses_v4.empty? + event.set('src_ip_addr', clean_ip_addresses_v4) + # Set the number of ip addresses so we can use array or non array later in pipeline + event.set('temp_number_of_ipv4_src_addresses', clean_ip_addresses_v4.length) + else + event.remove('src_ip_addr') + end + if !clean_ip_addresses_v6.empty? + event.set('ipv6_src_addr', clean_ip_addresses_v6) + #TODO:eventually set ipv6 number of ip addresses + end + if !not_ip_addresses.empty? + event.set('not_ip_src', not_ip_addresses) + end + " + tag_on_exception => "_rubyexception_8013" + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf b/helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf new file mode 100644 index 00000000..6d6bae8b --- /dev/null +++ b/helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf @@ -0,0 +1,81 @@ +filter { + #TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security" + + if [dst_nat_ip_addr] { + # Add pipeline field + mutate { add_field => { "z_logstash_pipeline" => "8014" } } + ruby { + code => " + temp_ip_addresses = event.get('dst_nat_ip_addr') + ip_addresses = Array.new + + # Determine if the IP field is an array if not make it an array + if temp_ip_addresses.is_a? Enumerable + ip_addresses = temp_ip_addresses.uniq + else + ip_addresses.push(temp_ip_addresses) + end + + clean_ip_addresses_v4 = Array.new + clean_ip_addresses_v6 = Array.new + not_ip_addresses = Array.new + + ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/ + + for ip_address in ip_addresses + #### General Cleanup + # Remove ending '.' + ip_address = ip_address.chomp + # Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster + ip_address = ip_address.reverse.chomp('.').reverse + # Remove ending or beginning whitespace + ip_address = ip_address.lstrip.rstrip + # Remove things that would make an IP a share but we want the IP :) + ip_address = ip_address.gsub(/^\\:?/, '') + # Downcase/lowercase for checking if possible ipv6 + ip_address = ip_address.downcase + + # Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7 + ip_address_length = ip_address.length + if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only? + # Remove any preceeding zeroes in each octet + temp_ip = Array.new + ip_address.split('.').each do |octet| + octet = octet.to_i.to_s + temp_ip.push(octet) + end + ip_address = temp_ip.join('.') + clean_ip_addresses_v4.push(ip_address) + + # Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2 + elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only? + if ipv6_regex === ip_address + clean_ip_addresses_v6.push(ip_address) + else + not_ip_addresses.push(ip_address) + end + else + not_ip_addresses.push(ip_address) + end + end + + # Set the new IP addresses + if !clean_ip_addresses_v4.empty? + event.set('dst_nat_ip_addr', clean_ip_addresses_v4) + # Set the number of ip addresses so we can use array or non array later in pipeline + event.set('temp_number_of_ipv4_dst_nat_addresses', clean_ip_addresses_v4.length) + else + event.remove('dst_nat_ip_addr') + end + if !clean_ip_addresses_v6.empty? + event.set('ipv6_dst_nat_addr', clean_ip_addresses_v6) + #TODO:eventually set ipv6 number of ip addresses + end + if !not_ip_addresses.empty? + event.set('not_ip_dst_nat', not_ip_addresses) + end + " + tag_on_exception => "_rubyexception_8014" + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf b/helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf new file mode 100644 index 00000000..897ed729 --- /dev/null +++ b/helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf @@ -0,0 +1,81 @@ +filter { + #TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security" + + if [src_nat_ip_addr] { + # Add pipeline field + mutate { add_field => { "z_logstash_pipeline" => "8015" } } + ruby { + code => " + temp_ip_addresses = event.get('src_nat_ip_addr') + ip_addresses = Array.new + + # Determine if the IP field is an array if not make it an array + if temp_ip_addresses.is_a? Enumerable + ip_addresses = temp_ip_addresses.uniq + else + ip_addresses.push(temp_ip_addresses) + end + + clean_ip_addresses_v4 = Array.new + clean_ip_addresses_v6 = Array.new + not_ip_addresses = Array.new + + ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/ + + for ip_address in ip_addresses + #### General Cleanup + # Remove ending '.' + ip_address = ip_address.chomp + # Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster + ip_address = ip_address.reverse.chomp('.').reverse + # Remove ending or beginning whitespace + ip_address = ip_address.lstrip.rstrip + # Remove things that would make an IP a share but we want the IP :) + ip_address = ip_address.gsub(/^\\:?/, '') + # Downcase/lowercase for checking if possible ipv6 + ip_address = ip_address.downcase + + # Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7 + ip_address_length = ip_address.length + if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only? + # Remove any preceeding zeroes in each octet + temp_ip = Array.new + ip_address.split('.').each do |octet| + octet = octet.to_i.to_s + temp_ip.push(octet) + end + ip_address = temp_ip.join('.') + clean_ip_addresses_v4.push(ip_address) + + # Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2 + elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only? + if ipv6_regex === ip_address + clean_ip_addresses_v6.push(ip_address) + else + not_ip_addresses.push(ip_address) + end + else + not_ip_addresses.push(ip_address) + end + end + + # Set the new IP addresses + if !clean_ip_addresses_v4.empty? + event.set('src_nat_ip_addr', clean_ip_addresses_v4) + # Set the number of ip addresses so we can use array or non array later in pipeline + event.set('temp_number_of_ipv4_src_nat_addresses', clean_ip_addresses_v4.length) + else + event.remove('src_nat_ip_addr') + end + if !clean_ip_addresses_v6.empty? + event.set('ipv6_src_nat_addr', clean_ip_addresses_v6) + #TODO:eventually set ipv6 number of ip addresses + end + if !not_ip_addresses.empty? + event.set('not_ip_src_nat', not_ip_addresses) + end + " + tag_on_exception => "_rubyexception_8015" + } + } +} \ No newline at end of file diff --git a/helk-logstash/pipeline/8112-dst-ip-filter.conf b/helk-logstash/pipeline/8112-dst-ip-filter.conf new file mode 100644 index 00000000..a6b7ddca --- /dev/null +++ b/helk-logstash/pipeline/8112-dst-ip-filter.conf @@ -0,0 +1,131 @@ +filter { + # If dst_ip_addr field exists from previous config settings + if [dst_ip_addr] { + mutate { add_field => { "z_logstash_pipeline" => "8112" } } + + #TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff. + ruby { + code => " + # Get the ip address from the event + ip_addresses = event.get('dst_ip_addr') + + ip_addresses_public = Array.new + ip_addresses_type = Array.new + + for ip_address in ip_addresses + # Set IP type and public for now so easier checking later + ip_public = true + ip_type = 'public' + + # Private/RFC1918 + if ip_address.start_with?( '10.', '192.168.' ) + ip_public = false + ip_type = 'private' + + # (Local)link-local RFC3927 + elsif ip_address.start_with?( '169.254.' ) + ip_public = false + ip_type = 'local' + + # Loopback RFC1122-3.2.1.3 + elsif ip_address.start_with?( '127.' ) + ip_public = false + ip_type = 'loopback' + + # RFC 1122 + elsif ip_address.start_with?('0.') + ip_public = false + ip_type = 'this_rfc1122' + + # IPv6 to IP4 anycast RFC3068 + elsif ip_address.start_with?( '192.88.99.' ) + ip_public = false + ip_type = '6to4' + + # Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737 + elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' ) + ip_public = false + ip_type = 'reserved' + + # Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255 + elsif ip_address.start_with?( '172.' ) + # Check if 2nd octet is in range(between) 16 to 31 + if ip_address.split('.')[1].to_i.between?(16,31) + ip_public = false + ip_type = 'private' + end + + # Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254 + elsif ip_address.start_with?( '100.' ) + # Check if 2nd octet is in range(between) 64 to 127 + if ip_address.split('.')[1].to_i.between?(64,127) + ip_public = false + ip_type = 'private' + end + + # The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast + elsif ip_address.start_with?( '2' ) + # Broadcast + if ip_address == '255.255.255.255' + ip_public = false + ip_type = 'broadcast' + + # Multicast + # Check if 1st octet is in range(between) 224 to 255 + elsif ip_address.split('.')[0].to_i.between?(224,255) + ip_public = false + ip_type = 'multicast' + end + end + # set parameters for array + ip_addresses_public.push(ip_public) + ip_addresses_type.push(ip_type) + end + + # Use to make array versus non array + # and then Set event parameters accordingly + if event.get('temp_number_of_ipv4_src_addresses') == 1 + event.set('dst_ip_addr', ip_addresses[0]) + event.set('dst_ip_public', ip_addresses_public[0]) + event.set('dst_ip_type', ip_addresses_type[0]) + else + event.set('dst_ip_public', ip_addresses_public) + event.set('dst_ip_type', ip_addresses_type) + # ip is already array so no need to set accordingly + end + " + tag_on_exception => "_rubyexception_8112" + remove_field => [ "temp_number_of_ipv4_dst_addresses" ] + } + + # Perform GeoIP enrichment if is public / internet routable + if [dst_ip_public] { + # Geo Location + geoip { + source => "dst_ip_addr" + target => "meta_dst_ip_geo" + default_database_type => "City" + # database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb" + # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. + cache_size => 90000 + remove_field => [ "[meta_dst_ip_geo][ip]", "[meta_dst_ip_geo][real_region_name]" ] + #tag_on_failure => [ "_geoip_ip_dst_failure", "_geoip_ip_dst_location_lookup_failure", "_geoip_lookup_failure" ] + # Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier. + tag_on_failure => [ ] + } + #QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg== + # Geo ASName and ASNumber / BGP AS Info + geoip { + source => "dst_ip_addr" + target => "meta_dst_ip_geo" + default_database_type => "ASN" + # database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb" + remove_field => [ "[meta_dst_ip_geo][ip]" ] + # tag_on_failure => [ "_geoip_ip_dst_failure", "_geoip_ip_dst_as_lookup_failure", "_geoip_lookup_failure" ] + # Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier. + tag_on_failure => [ ] + } + } + } + +} \ No newline at end of file diff --git a/helk-logstash/pipeline/8113-src-ip-filter.conf b/helk-logstash/pipeline/8113-src-ip-filter.conf new file mode 100644 index 00000000..e25999d8 --- /dev/null +++ b/helk-logstash/pipeline/8113-src-ip-filter.conf @@ -0,0 +1,130 @@ +filter { + # If src_ip_addr field exists from previous config settings + if [src_ip_addr] { + mutate { add_field => { "z_logstash_pipeline" => "8113" } } + + #TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff. + ruby { + code => " + # Get the ip address from the event + ip_addresses = event.get('src_ip_addr') + + ip_addresses_public = Array.new + ip_addresses_type = Array.new + + for ip_address in ip_addresses + # Set IP type and public for now so easier checking later + ip_public = true + ip_type = 'public' + + # Private/RFC1918 + if ip_address.start_with?( '10.', '192.168.' ) + ip_public = false + ip_type = 'private' + + # (Local)link-local RFC3927 + elsif ip_address.start_with?( '169.254.' ) + ip_public = false + ip_type = 'local' + + # Loopback RFC1122-3.2.1.3 + elsif ip_address.start_with?( '127.' ) + ip_public = false + ip_type = 'loopback' + + # RFC 1122 + elsif ip_address.start_with?('0.') + ip_public = false + ip_type = 'this_rfc1122' + + # IPv6 to IP4 anycast RFC3068 + elsif ip_address.start_with?( '192.88.99.' ) + ip_public = false + ip_type = '6to4' + + # Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737 + elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' ) + ip_public = false + ip_type = 'reserved' + + # Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255 + elsif ip_address.start_with?( '172.' ) + # Check if 2nd octet is in range(between) 16 to 31 + if ip_address.split('.')[1].to_i.between?(16,31) + ip_public = false + ip_type = 'private' + end + + # Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254 + elsif ip_address.start_with?( '100.' ) + # Check if 2nd octet is in range(between) 64 to 127 + if ip_address.split('.')[1].to_i.between?(64,127) + ip_public = false + ip_type = 'private' + end + + # The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast + elsif ip_address.start_with?( '2' ) + # Broadcast + if ip_address == '255.255.255.255' + ip_public = false + ip_type = 'broadcast' + + # Multicast + # Check if 1st octet is in range(between) 224 to 255 + elsif ip_address.split('.')[0].to_i.between?(224,255) + ip_public = false + ip_type = 'multicast' + end + end + # set parameters for array + ip_addresses_public.push(ip_public) + ip_addresses_type.push(ip_type) + end + + # Use to make array versus non array + # and then Set event parameters accordingly + if event.get('temp_number_of_ipv4_src_addresses') == 1 + event.set('src_ip_addr', ip_addresses[0]) + event.set('src_ip_public', ip_addresses_public[0]) + event.set('src_ip_type', ip_addresses_type[0]) + else + event.set('src_ip_public', ip_addresses_public) + event.set('src_ip_type', ip_addresses_type) + # ip is already array so no need to set accordingly + end + " + tag_on_exception => "_rubyexception_8113" + } + + # Perform GeoIP enrichment if is public / internet routable + if [src_ip_public] { + # Geo Location + geoip { + source => "src_ip_addr" + target => "meta_src_ip_geo" + default_database_type => "City" + # database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb" + # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. + cache_size => 90000 + remove_field => [ "[meta_src_ip_geo][ip]", "[meta_src_ip_geo][real_region_name]" ] + # tag_on_failure => [ "_geoip_ip_src_location_lookup_failure", "_geoip_lookup_failure" ] + # Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier. + tag_on_failure => [ ] + } + #QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg== + # Geo ASName and ASNumber / BGP AS Info + geoip { + source => "src_ip_addr" + target => "meta_src_ip_geo" + default_database_type => "ASN" + # database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb" + remove_field => [ "[meta_src_ip_geo][ip]" ] + # tag_on_failure => [ "_geoip_ip_src_as_lookup_failure", "_geoip_lookup_failure" ] + # Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier. + tag_on_failure => [ ] + } + } + } + +} \ No newline at end of file diff --git a/helk-logstash/pipeline/8114-dst-nat-ip-filter.conf b/helk-logstash/pipeline/8114-dst-nat-ip-filter.conf new file mode 100644 index 00000000..efd696af --- /dev/null +++ b/helk-logstash/pipeline/8114-dst-nat-ip-filter.conf @@ -0,0 +1,131 @@ +filter { + # If dst_nat_ip_addr field exists from previous config settings + if [dst_nat_ip_addr] { + mutate { add_field => { "z_logstash_pipeline" => "8114" } } + + #TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff. + ruby { + code => " + # Get the ip address from the event + ip_addresses = event.get('dst_nat_ip_addr') + + ip_addresses_public = Array.new + ip_addresses_type = Array.new + + for ip_address in ip_addresses + # Set IP type and public for now so easier checking later + ip_public = true + ip_type = 'public' + + # Private/RFC1918 + if ip_address.start_with?( '10.', '192.168.' ) + ip_public = false + ip_type = 'private' + + # (Local)link-local RFC3927 + elsif ip_address.start_with?( '169.254.' ) + ip_public = false + ip_type = 'local' + + # Loopback RFC1122-3.2.1.3 + elsif ip_address.start_with?( '127.' ) + ip_public = false + ip_type = 'loopback' + + # RFC 1122 + elsif ip_address.start_with?('0.') + ip_public = false + ip_type = 'this_rfc1122' + + # IPv6 to IP4 anycast RFC3068 + elsif ip_address.start_with?( '192.88.99.' ) + ip_public = false + ip_type = '6to4' + + # Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737 + elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' ) + ip_public = false + ip_type = 'reserved' + + # Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255 + elsif ip_address.start_with?( '172.' ) + # Check if 2nd octet is in range(between) 16 to 31 + if ip_address.split('.')[1].to_i.between?(16,31) + ip_public = false + ip_type = 'private' + end + + # Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254 + elsif ip_address.start_with?( '100.' ) + # Check if 2nd octet is in range(between) 64 to 127 + if ip_address.split('.')[1].to_i.between?(64,127) + ip_public = false + ip_type = 'private' + end + + # The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast + elsif ip_address.start_with?( '2' ) + # Broadcast + if ip_address == '255.255.255.255' + ip_public = false + ip_type = 'broadcast' + + # Multicast + # Check if 1st octet is in range(between) 224 to 255 + elsif ip_address.split('.')[0].to_i.between?(224,255) + ip_public = false + ip_type = 'multicast' + end + end + # set parameters for array + ip_addresses_public.push(ip_public) + ip_addresses_type.push(ip_type) + end + + # Use to make array versus non array + # and then Set event parameters accordingly + if event.get('temp_number_of_ipv4_dst_nat_addresses') == 1 + event.set('dst_nat_ip_addr', ip_addresses[0]) + event.set('dst_nat_ip_public', ip_addresses_public[0]) + event.set('dst_nat_ip_type', ip_addresses_type[0]) + else + event.set('dst_nat_ip_public', ip_addresses_public) + event.set('dst_nat_ip_type', ip_addresses_type) + # ip is already array so no need to set accordingly + end + " + tag_on_exception => "_rubyexception_8114" + remove_field => [ "temp_number_of_ipv4_dst_nat_addresses" ] + } + + # Perform GeoIP enrichment if is public / internet routable + if [dst_nat_ip_public] { + # Geo Location + geoip { + source => "dst_nat_ip_addr" + target => "meta_dst_nat_ip_geo" + default_database_type => "City" + # database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb" + # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. + cache_size => 90000 + remove_field => [ "[meta_dst_nat_ip_geo][ip]", "[meta_dst_nat_ip_geo][real_region_name]" ] + # tag_on_failure => [ "_geo_ip_dst_nat_location_lookup_failure", "_geoip_lookup_failure" ] + # Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier. + tag_on_failure => [ ] + } + #QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg== + # Geo ASName and ASNumber / BGP AS Info + geoip { + source => "dst_nat_ip_addr" + target => "meta_dst_nat_ip_geo" + default_database_type => "ASN" + # database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb" + remove_field => [ "[meta_dst_nat_ip_geo][ip]" ] + # tag_on_failure => [ "_geo_ip_dst_nat_as_lookup_failure", "_geoip_lookup_failure" ] + # Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier. + tag_on_failure => [ ] + } + } + } + +} \ No newline at end of file diff --git a/helk-logstash/pipeline/8115-src-nat-ip-filter.conf b/helk-logstash/pipeline/8115-src-nat-ip-filter.conf new file mode 100644 index 00000000..75b3963b --- /dev/null +++ b/helk-logstash/pipeline/8115-src-nat-ip-filter.conf @@ -0,0 +1,131 @@ +filter { + # If src_nat_ip_addr field exists from previous config settings + if [src_nat_ip_addr] { + mutate { add_field => { "z_logstash_pipeline" => "8115" } } + + #TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff. + ruby { + code => " + # Get the ip address from the event + ip_addresses = event.get('src_nat_ip_addr') + + ip_addresses_public = Array.new + ip_addresses_type = Array.new + + for ip_address in ip_addresses + # Set IP type and public for now so easier checking later + ip_public = true + ip_type = 'public' + + # Private/RFC1918 + if ip_address.start_with?( '10.', '192.168.' ) + ip_public = false + ip_type = 'private' + + # (Local)link-local RFC3927 + elsif ip_address.start_with?( '169.254.' ) + ip_public = false + ip_type = 'local' + + # Loopback RFC1122-3.2.1.3 + elsif ip_address.start_with?( '127.' ) + ip_public = false + ip_type = 'loopback' + + # RFC 1122 + elsif ip_address.start_with?('0.') + ip_public = false + ip_type = 'this_rfc1122' + + # IPv6 to IP4 anycast RFC3068 + elsif ip_address.start_with?( '192.88.99.' ) + ip_public = false + ip_type = '6to4' + + # Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737 + elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' ) + ip_public = false + ip_type = 'reserved' + + # Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255 + elsif ip_address.start_with?( '172.' ) + # Check if 2nd octet is in range(between) 16 to 31 + if ip_address.split('.')[1].to_i.between?(16,31) + ip_public = false + ip_type = 'private' + end + + # Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254 + elsif ip_address.start_with?( '100.' ) + # Check if 2nd octet is in range(between) 64 to 127 + if ip_address.split('.')[1].to_i.between?(64,127) + ip_public = false + ip_type = 'private' + end + + # The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast + elsif ip_address.start_with?( '2' ) + # Broadcast + if ip_address == '255.255.255.255' + ip_public = false + ip_type = 'broadcast' + + # Multicast + # Check if 1st octet is in range(between) 224 to 255 + elsif ip_address.split('.')[0].to_i.between?(224,255) + ip_public = false + ip_type = 'multicast' + end + end + # set parameters for array + ip_addresses_public.push(ip_public) + ip_addresses_type.push(ip_type) + end + + # Use to make array versus non array + # and then Set event parameters accordingly + if event.get('temp_number_of_ipv4_src_nat_addresses') == 1 + event.set('src_nat_ip_addr', ip_addresses[0]) + event.set('src_nat_ip_public', ip_addresses_public[0]) + event.set('src_nat_ip_type', ip_addresses_type[0]) + else + event.set('src_nat_ip_public', ip_addresses_public) + event.set('src_nat_ip_type', ip_addresses_type) + # ip is already array so no need to set accordingly + end + " + tag_on_exception => "_rubyexception_8115" + remove_field => [ "temp_number_of_ipv4_src_nat_addresses" ] + } + + # Perform GeoIP enrichment if is public / internet routable + if [src_nat_ip_public] { + # Geo Location + geoip { + source => "src_nat_ip_addr" + target => "meta_src_nat_ip_geo" + default_database_type => "City" + # database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb" + # #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory. + cache_size => 90000 + remove_field => [ "[meta_src_nat_ip_geo][ip]", "[meta_src_nat_ip_geo][real_region_name]" ] + # tag_on_failure => [ "_geo_ip_src_nat_location_lookup_failure", "_geoip_lookup_failure" ] + # Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier. + tag_on_failure => [ ] + } + #QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg== + # Geo ASName and ASNumber / BGP AS Info + geoip { + source => "src_nat_ip_addr" + target => "meta_src_nat_ip_geo" + default_database_type => "ASN" + # database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb" + remove_field => [ "[meta_src_nat_ip_geo][ip]" ] + # tag_on_failure => [ "_geo_ip_src_nat_as_lookup_failure", "_geoip_lookup_failure" ] + # Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier. + tag_on_failure => [ ] + } + } + } + +} \ No newline at end of file diff --git a/helk-logstash/pipeline/50-winevent-sysmon-output.conf b/helk-logstash/pipeline/9950-winevent-sysmon-output.conf similarity index 74% rename from helk-logstash/pipeline/50-winevent-sysmon-output.conf rename to helk-logstash/pipeline/9950-winevent-sysmon-output.conf index e97cbb8b..77d9a533 100644 --- a/helk-logstash/pipeline/50-winevent-sysmon-output.conf +++ b/helk-logstash/pipeline/9950-winevent-sysmon-output.conf @@ -8,10 +8,8 @@ output { elasticsearch { hosts => ["helk-elasticsearch:9200"] index => "logs-endpoint-winevent-sysmon-%{+YYYY.MM.dd}" - template => "/usr/share/logstash/output_templates/winevent-sysmon-template.json" - template_name => "logs-endpoint-winevent-sysmon" - template_overwrite => true document_id => "%{[@metadata][log_hash]}" + document_type => "_doc" } kafka { bootstrap_servers => "helk-kafka-broker:9092" diff --git a/helk-logstash/pipeline/51-winevent-security-output.conf b/helk-logstash/pipeline/9951-winevent-security-output.conf similarity index 73% rename from helk-logstash/pipeline/51-winevent-security-output.conf rename to helk-logstash/pipeline/9951-winevent-security-output.conf index e67e8ae1..f7307771 100644 --- a/helk-logstash/pipeline/51-winevent-security-output.conf +++ b/helk-logstash/pipeline/9951-winevent-security-output.conf @@ -8,10 +8,8 @@ output { elasticsearch { hosts => ["helk-elasticsearch:9200"] index => "logs-endpoint-winevent-security-%{+YYYY.MM.dd}" - template => "/usr/share/logstash/output_templates/winevent-security-template.json" - template_name => "logs-endpoint-winevent-security" - template_overwrite => true document_id => "%{[@metadata][log_hash]}" + document_type => "_doc" } kafka { bootstrap_servers => "helk-kafka-broker:9092" diff --git a/helk-logstash/pipeline/52-winevent-system-output.conf b/helk-logstash/pipeline/9952-winevent-system-output.conf similarity index 66% rename from helk-logstash/pipeline/52-winevent-system-output.conf rename to helk-logstash/pipeline/9952-winevent-system-output.conf index 00b5cf07..a5b386c0 100644 --- a/helk-logstash/pipeline/52-winevent-system-output.conf +++ b/helk-logstash/pipeline/9952-winevent-system-output.conf @@ -8,10 +8,8 @@ output { elasticsearch { hosts => ["helk-elasticsearch:9200"] index => "logs-endpoint-winevent-system-%{+YYYY.MM.dd}" - template => "/usr/share/logstash/output_templates/winevent-system-template.json" - template_name => "logs-endpoint-winevent-system" - template_overwrite => true document_id => "%{[@metadata][log_hash]}" + document_type => "_doc" } } } \ No newline at end of file diff --git a/helk-logstash/pipeline/53-winevent-application-output.conf b/helk-logstash/pipeline/9953-winevent-application-output.conf similarity index 66% rename from helk-logstash/pipeline/53-winevent-application-output.conf rename to helk-logstash/pipeline/9953-winevent-application-output.conf index 64d2b788..d0ecd0e7 100644 --- a/helk-logstash/pipeline/53-winevent-application-output.conf +++ b/helk-logstash/pipeline/9953-winevent-application-output.conf @@ -8,10 +8,8 @@ output { elasticsearch { hosts => ["helk-elasticsearch:9200"] index => "logs-endpoint-winevent-application-%{+YYYY.MM.dd}" - template => "/usr/share/logstash/output_templates/winevent-application-template.json" - template_name => "logs-endpoint-winevent-application" - template_overwrite => true document_id => "%{[@metadata][log_hash]}" + document_type => "_doc" } } } \ No newline at end of file diff --git a/helk-logstash/pipeline/54-winevent-powershell-output.conf b/helk-logstash/pipeline/9954-winevent-powershell-output.conf similarity index 92% rename from helk-logstash/pipeline/54-winevent-powershell-output.conf rename to helk-logstash/pipeline/9954-winevent-powershell-output.conf index 432859b6..1ce908e6 100644 --- a/helk-logstash/pipeline/54-winevent-powershell-output.conf +++ b/helk-logstash/pipeline/9954-winevent-powershell-output.conf @@ -7,9 +7,9 @@ output { if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell"{ elasticsearch { hosts => ["helk-elasticsearch:9200"] - manage_template => false index => "logs-endpoint-winevent-powershell-%{+YYYY.MM.dd}" document_id => "%{[@metadata][log_hash]}" + document_type => "_doc" } } } \ No newline at end of file diff --git a/helk-logstash/pipeline/55-winevent-wmiactivity-output.conf b/helk-logstash/pipeline/9955-winevent-wmiactivity-output.conf similarity index 67% rename from helk-logstash/pipeline/55-winevent-wmiactivity-output.conf rename to helk-logstash/pipeline/9955-winevent-wmiactivity-output.conf index 1f80f983..6cd932f5 100644 --- a/helk-logstash/pipeline/55-winevent-wmiactivity-output.conf +++ b/helk-logstash/pipeline/9955-winevent-wmiactivity-output.conf @@ -8,10 +8,8 @@ output { elasticsearch { hosts => ["helk-elasticsearch:9200"] index => "logs-endpoint-winevent-wmiactivity-%{+YYYY.MM.dd}" - template => "/usr/share/logstash/output_templates/winevent-wmiactivity-template.json" - template_name => "logs-endpoint-winevent-wmiactivity" - template_overwrite => true document_id => "%{[@metadata][log_hash]}" + document_type => "_doc" } } } \ No newline at end of file diff --git a/helk-logstash/pipeline/56-attack-output.conf b/helk-logstash/pipeline/9956-attack-output.conf similarity index 78% rename from helk-logstash/pipeline/56-attack-output.conf rename to helk-logstash/pipeline/9956-attack-output.conf index 1039801b..ae852941 100644 --- a/helk-logstash/pipeline/56-attack-output.conf +++ b/helk-logstash/pipeline/9956-attack-output.conf @@ -9,6 +9,9 @@ output { elasticsearch { hosts => ["helk-elasticsearch:9200"] index => "mitre-attack-%{+YYYY.MM.dd}" + document_type => "_doc" + user => "beats_ingest" + password => "123456" } } } \ No newline at end of file From 42f7e5b2fc415953796c6ad041e078366dc755ed Mon Sep 17 00:00:00 2001 From: neutron Date: Thu, 2 Aug 2018 14:05:39 -0400 Subject: [PATCH 3/6] hardening and optimization --- helk-nginx/default | 103 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 98 insertions(+), 5 deletions(-) diff --git a/helk-nginx/default b/helk-nginx/default index 04c4b5ea..0af0e68d 100644 --- a/helk-nginx/default +++ b/helk-nginx/default @@ -1,15 +1,91 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} server { - proxy_connect_timeout 900; - proxy_send_timeout 600; - proxy_read_timeout 600; - listen 80; - server_name 127.0.0.1; + return 301 https://$host$request_uri; +} + +server { + ## Log location ## + #access_log /var/log/nginx/kibana.access.log; + #error_log /var/log/nginx/kibana.error.log; + ## End ## + + ## (Web) Server Configuration ## + listen 443 ssl; + ssl_certificate_key /etc/ssl/private/HELK_Nginx.key; + ssl_certificate /etc/ssl/certs/HELK_Nginx.crt; + ssl_session_cache shared:SSL:10m; + ## End ## + ## Hide Version ## + server_tokens off; + ## End ## + + ## Local Authentication ## auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/htpasswd.users; + ## End ## + + ## Some Hardening/Security ## + # Web Server Attack (ie: XSS, Clickjacking) + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "SAMEORIGIN"; + # BufferOverflow Hardening + client_body_buffer_size 100K; + client_header_buffer_size 1k; + client_max_body_size 150k; + # TLS/SSL + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH"; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + # HTTP Methods + # DELETE is required for some index management + if ($request_method !~ ^(GET|PUT|POST|DELETE)$ ) { + return 444; + } + ## End ## + + ## Timeout definitions ## + proxy_connect_timeout 900; + proxy_send_timeout 600; + proxy_read_timeout 600; + client_body_timeout 10; + client_header_timeout 10; + keepalive_timeout 10 10; + send_timeout 10; + ## End ## + + ## Performance Tuning ## + gzip on; + gzip_comp_level 1; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + ## End ## + + ## Kibana Settings / Kibana Proxy ## + # Kibana generates really long URI's so need to set this + large_client_header_buffers 4 16k; + # Cache static resources that are regularly requested + location ~ \.(jpg|png|ico|svg|woff2)$ { + proxy_pass http://helk-kibana:5601; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_cache kibana_cache; + add_header Cache-Control "public"; + expires 12h; + } + # Proxy forward to elasticsearch location / { proxy_pass http://helk-kibana:5601; proxy_http_version 1.1; @@ -18,4 +94,21 @@ server { proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } + ## End ## + + ## Jupyter Proxy ## + location /jupyter/ { + if ($scheme = 'http') { + #Insecure, lets go to https + rewrite ^/(.*)$ https://$host/$1 redirect; + } + proxy_pass http://helk-jupyter:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # websocket headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + ## End ## } From df133447c1a65c4bb56b387bdb5b1f109a53416f Mon Sep 17 00:00:00 2001 From: neutron Date: Thu, 2 Aug 2018 14:05:55 -0400 Subject: [PATCH 4/6] added optimizations --- helk-kibana/kibana.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helk-kibana/kibana.yml b/helk-kibana/kibana.yml index 0bba7810..81105e77 100644 --- a/helk-kibana/kibana.yml +++ b/helk-kibana/kibana.yml @@ -12,7 +12,7 @@ server.host: "helk-kibana" #server.basePath: "" # The maximum payload size in bytes for incoming server requests. -#server.maxPayloadBytes: 1048576 +server.maxPayloadBytes: 2048576 # The Kibana server's name. This is used for display purposes. server.name: "helk-kibana" @@ -58,11 +58,11 @@ elasticsearch.url: "http://helk-elasticsearch:9200" # Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of # the elasticsearch.requestTimeout setting. -#elasticsearch.pingTimeout: 1500 +elasticsearch.pingTimeout: 7500 # Time in milliseconds to wait for responses from the back end or Elasticsearch. This value # must be a positive integer. -elasticsearch.requestTimeout: 60000 +elasticsearch.requestTimeout: 300000 # List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side # headers, set this value to [] (an empty list). From d5fc2ecd56a73ed1f31db95e0de2443eba24f525 Mon Sep 17 00:00:00 2001 From: neutron Date: Thu, 2 Aug 2018 14:06:06 -0400 Subject: [PATCH 5/6] match new field names --- helk-kibana/dashboards/Global_Dashboard.json | 22 +++++++-------- helk-kibana/dashboards/Sysmon_Dashboard.json | 28 +++++++++---------- .../dashboards/Sysmon_Network_Dashboard.json | 18 ++++++------ 3 files changed, 34 insertions(+), 34 deletions(-) diff --git a/helk-kibana/dashboards/Global_Dashboard.json b/helk-kibana/dashboards/Global_Dashboard.json index 876f680b..dccc422a 100644 --- a/helk-kibana/dashboards/Global_Dashboard.json +++ b/helk-kibana/dashboards/Global_Dashboard.json @@ -8,7 +8,7 @@ "version": 1, "attributes": { "title": "Global_process_command_line", - "visState": "{\"title\":\"Global_process_command_line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_command_line.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_command_line\"}}]}", + "visState": "{\"title\":\"Global_process_command_line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_command_line\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -56,7 +56,7 @@ "version": 2, "attributes": { "title": "Global_Process_Name", - "visState": "{\"title\":\"Global_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", + "visState": "{\"title\":\"Global_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -72,7 +72,7 @@ "version": 1, "attributes": { "title": "Global_Process_Parent_Name", - "visState": "{\"title\":\"Global_Process_Parent_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_name\"}}]}", + "visState": "{\"title\":\"Global_Process_Parent_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -88,7 +88,7 @@ "version": 1, "attributes": { "title": "Global_Service_Name", - "visState": "{\"title\":\"Global_Service_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"service_name\"}}]}", + "visState": "{\"title\":\"Global_Service_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"service_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -104,7 +104,7 @@ "version": 1, "attributes": { "title": "Global_Host_Name", - "visState": "{\"title\":\"Global_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"Global_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -120,7 +120,7 @@ "version": 1, "attributes": { "title": "Global_User_Name", - "visState": "{\"title\":\"Global_User_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"Global_User_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -136,7 +136,7 @@ "version": 1, "attributes": { "title": "Global_dst_ip", - "visState": "{\"title\":\"Global_dst_ip\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dst_ip.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"dst_ip\"}}]}", + "visState": "{\"title\":\"Global_dst_ip\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dst_ip_addr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"dst_ip_addr\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -152,7 +152,7 @@ "version": 1, "attributes": { "title": "Global_Logon_Type", - "visState": "{\"title\":\"Global_Logon_Type\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"logon_type.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"logon_type\"}}]}", + "visState": "{\"title\":\"Global_Logon_Type\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"logon_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"logon_type\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -168,7 +168,7 @@ "version": 1, "attributes": { "title": "Global_Hashes_Sha256", - "visState": "{\"title\":\"Global_Hashes_Sha256\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}}]}", + "visState": "{\"title\":\"Global_Hashes_Sha256\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -213,7 +213,7 @@ "attributes": { "title": "logs-*", "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Address.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AddressLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.AddressLength.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Attributes.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Binary.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.BiosInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.BiosInitDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DriverInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.DriverInitDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.EffectiveState.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Flags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberPagesWritten\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberPagesWritten.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberReadDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberReadDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberWriteDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberWriteDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NoMultiStageResumeReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.NoMultiStageResumeReason.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.QueryName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.QueryName.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Reason.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.SleepDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TargetState.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TransitionsToOn.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceTextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceTextLength.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceType.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerContextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerContextLength.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerOwnerLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerOwnerLength.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param1.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param2.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param3.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param4.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param5.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.city_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.continent_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code2.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code3.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.postal_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.timezone.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_package_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_restricted_adminmode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_restricted_adminmode.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_transmitted_services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_transmitted_services.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_account_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_sid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_data.User.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" + "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AddressLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.AddressLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Attributes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Binary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.BiosInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.BiosInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DriverInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.DriverInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.EffectiveState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberPagesWritten\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberPagesWritten.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberReadDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberReadDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberWriteDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberWriteDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NoMultiStageResumeReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.NoMultiStageResumeReason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.QueryName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.QueryName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.SleepDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TargetState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TransitionsToOn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceTextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceTextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceType.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerContextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerContextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerOwnerLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerOwnerLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_restricted_adminmode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_restricted_adminmode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_transmitted_services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_transmitted_services.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_data.User.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" } }, { @@ -224,7 +224,7 @@ "attributes": { "title": "logs-endpoint-*", "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Address.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AddressLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.AddressLength.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Attributes.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Binary.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.BiosInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.BiosInitDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DriverInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.DriverInitDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.EffectiveState.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Flags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberPagesWritten\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberPagesWritten.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberReadDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberReadDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberWriteDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberWriteDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NoMultiStageResumeReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.NoMultiStageResumeReason.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.QueryName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.QueryName.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Reason.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.SleepDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TargetState.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TransitionsToOn.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeDuration.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceTextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceTextLength.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceType.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerContextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerContextLength.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerOwnerLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerOwnerLength.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param1.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param2.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param3.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param4.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param5.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.serviceGuid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateGuid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateRevisionNumber.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateTitle.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.city_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.continent_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code2.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code3.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.postal_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.timezone.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_package_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_restricted_adminmode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_restricted_adminmode.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_transmitted_services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_transmitted_services.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_account_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_sid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spp_restart_reason.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startaddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startaddress.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startfunction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startfunction.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startmodule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startmodule.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_data.User.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" + "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"activity_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AddressLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.AddressLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Attributes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Binary.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.BiosInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.BiosInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DriverInitDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.DriverInitDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EffectiveState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.EffectiveState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberPagesWritten\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberPagesWritten.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberReadDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberReadDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiberWriteDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.HiberWriteDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NoMultiStageResumeReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.NoMultiStageResumeReason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.QueryName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.QueryName.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.Reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.SleepDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SleepTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TargetState.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransitionsToOn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.TransitionsToOn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeDuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeDuration.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceTextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceTextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeSourceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeSourceType.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerContextLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerContextLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WakeTimerOwnerLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.WakeTimerOwnerLength.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.param6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.serviceGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateGuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_data.updateTitle.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"impersonation_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keywords.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_authentication_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_authentication_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_elevated_token\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_elevated_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_key_length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_key_length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_package_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_package_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_privileges_assigned\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_privileges_assigned.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_restricted_adminmode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_restricted_adminmode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_transmitted_services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_transmitted_services.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_virtual_account\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_virtual_account.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reporter_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reporter_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_enumerated_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_enumerated_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_start_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_start_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spp_restart_reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spp_restart_scheduled\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system_new_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_previous_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startaddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startaddress.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startfunction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startfunction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_startmodule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_startmodule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_data.User.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_linked_logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_linked_logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_network_account_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_network_account_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_client_machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_client_machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_component.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_possible_cause\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_possible_cause.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_provider_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_provider_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_result_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_result_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wmi_xml_operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wmi_xml_operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" } }, { diff --git a/helk-kibana/dashboards/Sysmon_Dashboard.json b/helk-kibana/dashboards/Sysmon_Dashboard.json index e113f885..d993015a 100644 --- a/helk-kibana/dashboards/Sysmon_Dashboard.json +++ b/helk-kibana/dashboards/Sysmon_Dashboard.json @@ -8,7 +8,7 @@ "version": 1, "attributes": { "title": "Sysmon_Process_Command_Line", - "visState": "{\"title\":\"Sysmon_Process_Command_Line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_command_line.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_command_line\"}}]}", + "visState": "{\"title\":\"Sysmon_Process_Command_Line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_command_line\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -56,7 +56,7 @@ "version": 1, "attributes": { "title": "Sysmon_File_Name", - "visState": "{\"title\":\"Sysmon_File_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"file_name\"}}]}", + "visState": "{\"title\":\"Sysmon_File_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"file_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -72,7 +72,7 @@ "version": 1, "attributes": { "title": "Sysmon_Host_Name", - "visState": "{\"title\":\"Sysmon_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"Sysmon_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -88,7 +88,7 @@ "version": 1, "attributes": { "title": "Sysmon_module_loaded", - "visState": "{\"title\":\"Sysmon_module_loaded\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"module_loaded.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"module_loaded\"}}]}", + "visState": "{\"title\":\"Sysmon_module_loaded\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"module_loaded.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"module_loaded\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -104,7 +104,7 @@ "version": 1, "attributes": { "title": "Sysmon_Process_Parent_Command_Line", - "visState": "{\"title\":\"Sysmon_Process_Parent_Command_Line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_command_line.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_command_line\"}}]}", + "visState": "{\"title\":\"Sysmon_Process_Parent_Command_Line\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_command_line.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_command_line\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -120,7 +120,7 @@ "version": 1, "attributes": { "title": "Sysmon_Pipe_Name", - "visState": "{\"title\":\"Sysmon_Pipe_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"pipe_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"pipe_name\"}}]}", + "visState": "{\"title\":\"Sysmon_Pipe_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"pipe_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"pipe_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -136,7 +136,7 @@ "version": 1, "attributes": { "title": "Sysmon_Process_Granted_Access", - "visState": "{\"title\":\"Sysmon_Process_Granted_Access\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_granted_access.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_granted_access\"}}]}", + "visState": "{\"title\":\"Sysmon_Process_Granted_Access\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_granted_access.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_granted_access\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -152,7 +152,7 @@ "version": 1, "attributes": { "title": "Sysmon_Process_Parent_Name", - "visState": "{\"title\":\"Sysmon_Process_Parent_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_name\"}}]}", + "visState": "{\"title\":\"Sysmon_Process_Parent_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_parent_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_parent_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -168,7 +168,7 @@ "version": 1, "attributes": { "title": "Sysmon_Registry_Key_Path", - "visState": "{\"title\":\"Sysmon_Registry_Key_Path\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"registry_key_path.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"registry_key_path\"}}]}", + "visState": "{\"title\":\"Sysmon_Registry_Key_Path\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"registry_key_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"registry_key_path\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -184,7 +184,7 @@ "version": 1, "attributes": { "title": "Sysmon_User_Name", - "visState": "{\"title\":\"Sysmon_User_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"Sysmon_User_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -200,7 +200,7 @@ "version": 1, "attributes": { "title": "Sysmon_Process_Name", - "visState": "{\"title\":\"Sysmon_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", + "visState": "{\"title\":\"Sysmon_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -243,7 +243,7 @@ "version": 1, "attributes": { "title": "Sysmon_Unique_module_loaded", - "visState": "{\"title\":\"Sysmon_Unique_module_loaded\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"module_loaded.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"module_loaded\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"module_loaded.raw\",\"customLabel\":\"uniq module_loaded\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host_name.raw\",\"customLabel\":\"uniq host_name\"}}]}", + "visState": "{\"title\":\"Sysmon_Unique_module_loaded\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"module_loaded.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"module_loaded\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"module_loaded.keyword\",\"customLabel\":\"uniq module_loaded\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host_name.keyword\",\"customLabel\":\"uniq host_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -259,7 +259,7 @@ "version": 1, "attributes": { "title": "Sysmon_Unique_Process_Name", - "visState": "{\"title\":\"Sysmon_Unique_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"process_name.raw\",\"customLabel\":\"uniq process_name\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host_name.raw\",\"customLabel\":\"uniq host_name\"}}]}", + "visState": "{\"title\":\"Sysmon_Unique_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash_sha256.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"hash_sha256\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"process_name.keyword\",\"customLabel\":\"uniq process_name\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host_name.keyword\",\"customLabel\":\"uniq host_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -276,7 +276,7 @@ "attributes": { "title": "logs-endpoint-winevent-sysmon-*", "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_isipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_isipv6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.city_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.continent_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code2.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code3.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.postal_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.timezone.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" + "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@date_creation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@date_creation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_process_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"device_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_key_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_key_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_new_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" } }, { diff --git a/helk-kibana/dashboards/Sysmon_Network_Dashboard.json b/helk-kibana/dashboards/Sysmon_Network_Dashboard.json index 3803b56d..658aee63 100644 --- a/helk-kibana/dashboards/Sysmon_Network_Dashboard.json +++ b/helk-kibana/dashboards/Sysmon_Network_Dashboard.json @@ -25,7 +25,7 @@ "version": 1, "attributes": { "title": "Sysmon_Network_Country_Name", - "visState": "{\"title\":\"Sysmon_Network_Country_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"geoip.country_name\"}}]}", + "visState": "{\"title\":\"Sysmon_Network_Country_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"meta_dst_ip_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"meta_dst_ip_geo.country_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", @@ -42,7 +42,7 @@ "version": 1, "attributes": { "title": "Sysmon_Network_Host_Name", - "visState": "{\"title\":\"Sysmon_Network_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"Sysmon_Network_Host_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", "uiStateJSON": "{}", "description": "", "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", @@ -59,7 +59,7 @@ "version": 1, "attributes": { "title": "Sysmon_Network_Map", - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"geoip.location\",\"isFilteredByCollar\":true,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"heatClusterSize\":2,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.3\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.3\"}]}},\"title\":\"Sysmon_Network_Map\",\"type\":\"tile_map\"}", + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"meta_dst_ip_geo.location\",\"isFilteredByCollar\":true,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"heatClusterSize\":2,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.3\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.3\"}]}},\"title\":\"Sysmon_Network_Map\",\"type\":\"tile_map\"}", "uiStateJSON": "{}", "description": "", "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", @@ -76,7 +76,7 @@ "version": 1, "attributes": { "title": "Sysmon_Network_Process_Name", - "visState": "{\"title\":\"Sysmon_Network_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", + "visState": "{\"title\":\"Sysmon_Network_Process_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"process_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", @@ -93,7 +93,7 @@ "version": 1, "attributes": { "title": "Sysmon_Network_City_Name", - "visState": "{\"title\":\"Sysmon_Network_City_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.city_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"Sysmon_Network_City_Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"meta_dst_ip_geo.city_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", "uiStateJSON": "{}", "description": "", "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", @@ -110,7 +110,7 @@ "version": 1, "attributes": { "title": "Sysmon_Network_dst_ip", - "visState": "{\"title\":\"Sysmon_Network_dst_ip\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dst_ip.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}]}", + "visState": "{\"title\":\"Sysmon_Network_dst_ip\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dst_ip_addr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}]}", "uiStateJSON": "{}", "description": "", "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", @@ -144,7 +144,7 @@ "version": 1, "attributes": { "title": "Sysmon_Network_User_Name", - "visState": "{\"title\":\"Sysmon_Network_User_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_name.raw\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"user_name\"}}]}", + "visState": "{\"title\":\"Sysmon_Network_User_Name\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"user_name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "savedSearchId": "754acc80-1de6-11e8-8f1b-1b86647d4817", @@ -169,7 +169,7 @@ "user_name", "process_path", "process_name", - "dst_ip" + "dst_ip_addr" ], "sort": [ "@timestamp", @@ -189,7 +189,7 @@ "attributes": { "title": "logs-endpoint-winevent-sysmon-*", "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_is_ipv6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_creation_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_creation_time.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.city_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.continent_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code2.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code3.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.postal_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_code.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.timezone.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_loaded.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_path.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_thread_id.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rawaccess_read_device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rawaccess_read_device.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_details.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_target_object\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_target_object.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_is_ipv6.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" + "fields": "[{\"name\":\"@meta.sysmon.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dst_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dst_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_creation_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_creation_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.dma_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta_dst_ip_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_imphash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash_sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash_sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_loaded\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_loaded.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"module_signature_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"module_signature_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_signed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_initiated\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"opcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_command_line.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pipe_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pipe_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_calltrace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_calltrace.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_granted_access\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_granted_access.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_parent_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_parent_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_path\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_target_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_thread_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_thread_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"provider_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rawaccess_read_device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rawaccess_read_device.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"record_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry_target_object\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"registry_target_object.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_sid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_reporter_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_reporter_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"task.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_session_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_newthreadid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_domain\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_logon_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_name\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" } }, { From 3433425e165350569377f2343680cb6a7c0230e0 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Thu, 2 Aug 2018 14:15:04 -0400 Subject: [PATCH 6/6] Update 9956-attack-output.conf cleanup of my testing --- helk-logstash/pipeline/9956-attack-output.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/helk-logstash/pipeline/9956-attack-output.conf b/helk-logstash/pipeline/9956-attack-output.conf index ae852941..6e711027 100644 --- a/helk-logstash/pipeline/9956-attack-output.conf +++ b/helk-logstash/pipeline/9956-attack-output.conf @@ -10,8 +10,6 @@ output { hosts => ["helk-elasticsearch:9200"] index => "mitre-attack-%{+YYYY.MM.dd}" document_type => "_doc" - user => "beats_ingest" - password => "123456" } } -} \ No newline at end of file +}