From 6cd3bdc49c9a954c5404cbf0ad3cdd1fbcf672c9 Mon Sep 17 00:00:00 2001 From: Maxime Thiebaut <46688461+0xThiebaut@users.noreply.github.com> Date: Wed, 15 Jan 2020 19:08:34 +0100 Subject: [PATCH] Add Kibana Dashboards (#1) Add a general, CNAME and A/AAAA dahsboards --- _meta/kibana/7/dashboard/a-aaaa-overview.json | 994 ++++++ _meta/kibana/7/dashboard/cname-overview.json | 953 +++++ _meta/kibana/7/dashboard/overview.json | 971 +++++ fields.yml | 3135 ----------------- 4 files changed, 2918 insertions(+), 3135 deletions(-) create mode 100644 _meta/kibana/7/dashboard/a-aaaa-overview.json create mode 100644 _meta/kibana/7/dashboard/cname-overview.json create mode 100644 _meta/kibana/7/dashboard/overview.json delete mode 100644 fields.yml diff --git a/_meta/kibana/7/dashboard/a-aaaa-overview.json b/_meta/kibana/7/dashboard/a-aaaa-overview.json new file mode 100644 index 0000000..ac727ed --- /dev/null +++ b/_meta/kibana/7/dashboard/a-aaaa-overview.json @@ -0,0 +1,994 @@ +{ + "objects": [ + { + "attributes": { + "description": "Monitor all A and AAAA entries.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "2e5656be-886a-487d-9bee-98f960a89cce", + "w": 26, + "x": 0, + "y": 0 + }, + "panelIndex": "2e5656be-886a-487d-9bee-98f960a89cce", + "panelRefName": "panel_0", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "3689c962-5213-4129-bff3-c34b4885a10b", + "w": 13, + "x": 26, + "y": 0 + }, + "panelIndex": "3689c962-5213-4129-bff3-c34b4885a10b", + "panelRefName": "panel_1", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "e21b9e0d-22ab-4ca3-9e9d-2accb82cf6ee", + "w": 13, + "x": 26, + "y": 8 + }, + "panelIndex": "e21b9e0d-22ab-4ca3-9e9d-2accb82cf6ee", + "panelRefName": "panel_2", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 17, + "i": "2631591c-9b8c-4c25-a255-1a0b2dd5b0c4", + "w": 13, + "x": 0, + "y": 16 + }, + "panelIndex": "2631591c-9b8c-4c25-a255-1a0b2dd5b0c4", + "panelRefName": "panel_3", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 17, + "i": "749a0f67-e1c2-4155-a96a-25446a611da1", + "w": 13, + "x": 13, + "y": 16 + }, + "panelIndex": "749a0f67-e1c2-4155-a96a-25446a611da1", + "panelRefName": "panel_4", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 17, + "i": "d691c2fc-2e14-45ad-a017-eb4f4c6275d0", + "w": 13, + "x": 26, + "y": 16 + }, + "panelIndex": "d691c2fc-2e14-45ad-a017-eb4f4c6275d0", + "panelRefName": "panel_5", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 29, + "i": "23cc4055-885b-4c9a-8348-6df37aca78e5", + "w": 39, + "x": 0, + "y": 33 + }, + "panelIndex": "23cc4055-885b-4c9a-8348-6df37aca78e5", + "panelRefName": "panel_6", + "version": "7.5.1" + } + ], + "timeRestore": false, + "title": "[Dnsbeat A/AAAA] Overview", + "version": 1 + }, + "id": "33f672b0-37bc-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "2ad733a0-37bb-11ea-bc78-59a1f2dd0c3f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "76bb7f00-37bc-11ea-bc78-59a1f2dd0c3f", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "932adaa0-37bc-11ea-bc78-59a1f2dd0c3f", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "d19079e0-37bb-11ea-bc78-59a1f2dd0c3f", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "77590210-37bd-11ea-bc78-59a1f2dd0c3f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "b750bd90-37bd-11ea-bc78-59a1f2dd0c3f", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "e34c7e60-37b9-11ea-bc78-59a1f2dd0c3f", + "name": "panel_6", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-01-15T17:39:55.872Z", + "version": "WzEzMiwxXQ==" + }, + { + "attributes": { + "description": "The count of unique entries per A and AAAA type over time.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Unique Entry Count Per Type Over Time [Dnsbeat A/AAAA]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Timestamp", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Type", + "field": "dns.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Domain", + "field": "event.dataset", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "HH:mm:ss" + } + }, + "params": { + "bounds": { + "max": "2020-01-15T17:31:46.648Z", + "min": "2020-01-15T17:16:46.645Z" + }, + "date": true, + "format": "HH:mm:ss", + "interval": "PT30S", + "intervalESUnit": "s", + "intervalESValue": 30 + } + }, + "y": [ + { + "accessor": 3, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "grid": { + "categoryLines": false + }, + "labels": {}, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Entries" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#34130C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Entries" + }, + "type": "value" + } + ] + }, + "title": "Unique Entry Count Per Type Over Time [Dnsbeat A/AAAA]", + "type": "line" + } + }, + "id": "2ad733a0-37bb-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "e34c7e60-37b9-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T17:41:59.542Z", + "version": "WzEzNiwxXQ==" + }, + { + "attributes": { + "description": "A count of all A and AAAA entries.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Entry Count [Dnsbeat A/AAAA]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Monitored Entries" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Entry Count [Dnsbeat A/AAAA]", + "type": "metric" + } + }, + "id": "76bb7f00-37bc-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "e34c7e60-37b9-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T17:43:54.284Z", + "version": "WzE0MCwxXQ==" + }, + { + "attributes": { + "description": "A count of unique A and AAAA entries.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Unique Entry Count [Dnsbeat A/AAAA]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Monitored Unique Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Unique Entry Count [Dnsbeat A/AAAA]", + "type": "metric" + } + }, + "id": "932adaa0-37bc-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "e34c7e60-37b9-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T17:41:12.277Z", + "version": "WzEzNSwxXQ==" + }, + { + "attributes": { + "description": "A repartition of A and AAAA entry types.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Unique Entry Type Repartition [Dnsbeat A/AAAA]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Type", + "field": "dns.type", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Unique Entry Type Repartition [Dnsbeat A/AAAA]", + "type": "pie" + } + }, + "id": "d19079e0-37bb-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "e34c7e60-37b9-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T17:40:47.436Z", + "version": "WzEzNCwxXQ==" + }, + { + "attributes": { + "description": "A count of unique IPv4 and IPv6 targets per unique name.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Entry Target Count [Dnsbeat A/AAAA]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Targets", + "field": "dns.rdata.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Domain", + "field": "dns.name", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Entry Target Count [Dnsbeat A/AAAA]", + "type": "table" + } + }, + "id": "77590210-37bd-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "e34c7e60-37b9-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T17:43:34.815Z", + "version": "WzEzOSwxXQ==" + }, + { + "attributes": { + "description": "A count of unique names per unique IPv4 and IPv6.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Entry Target Source Count [Dnsbeat A/AAAA]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Sources", + "field": "dns.name" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "IP", + "field": "dns.rdata.ip", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "ip", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Entry Target Source Count [Dnsbeat A/AAAA]", + "type": "table" + } + }, + "id": "b750bd90-37bd-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "e34c7e60-37b9-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T17:42:47.801Z", + "version": "WzEzOCwxXQ==" + }, + { + "attributes": { + "columns": [ + "dns.name", + "dns.rdata.ip" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "dns.type", + "negate": false, + "params": [ + "A", + "AAAA" + ], + "type": "phrases", + "value": "A, AAAA" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.type": "A" + } + }, + { + "match_phrase": { + "dns.type": "AAAA" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "All Entries [Dnsbeat A/AAAA]", + "version": 1 + }, + "id": "e34c7e60-37b9-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-01-15T17:27:29.494Z", + "version": "WzExNSwxXQ==" + } + ], + "version": "7.5.1" +} diff --git a/_meta/kibana/7/dashboard/cname-overview.json b/_meta/kibana/7/dashboard/cname-overview.json new file mode 100644 index 0000000..f6534b5 --- /dev/null +++ b/_meta/kibana/7/dashboard/cname-overview.json @@ -0,0 +1,953 @@ +{ + "objects": [ + { + "attributes": { + "description": "Monitor all CNAME entries.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "a520c739-f096-4657-8349-99380bca45f6", + "w": 26, + "x": 0, + "y": 0 + }, + "panelIndex": "a520c739-f096-4657-8349-99380bca45f6", + "panelRefName": "panel_0", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "5cbc35d2-ffe5-4ef9-bb8f-44f1ecbb3779", + "w": 13, + "x": 26, + "y": 0 + }, + "panelIndex": "5cbc35d2-ffe5-4ef9-bb8f-44f1ecbb3779", + "panelRefName": "panel_1", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "70942f79-e926-4ed9-8f14-85807f8b279b", + "w": 13, + "x": 26, + "y": 8 + }, + "panelIndex": "70942f79-e926-4ed9-8f14-85807f8b279b", + "panelRefName": "panel_2", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 17, + "i": "48b35323-74cc-4db4-9328-8ce3f5543c0e", + "w": 13, + "x": 0, + "y": 16 + }, + "panelIndex": "48b35323-74cc-4db4-9328-8ce3f5543c0e", + "panelRefName": "panel_3", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 17, + "i": "b4635c4b-c3b5-46cc-b564-5353273cd4c6", + "w": 13, + "x": 13, + "y": 16 + }, + "panelIndex": "b4635c4b-c3b5-46cc-b564-5353273cd4c6", + "panelRefName": "panel_4", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 17, + "i": "ad9733d8-297d-4c60-9abd-d1a9e17dc780", + "w": 13, + "x": 26, + "y": 16 + }, + "panelIndex": "ad9733d8-297d-4c60-9abd-d1a9e17dc780", + "panelRefName": "panel_5", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 30, + "i": "7cf7b2c8-8678-497a-b93f-4a3593425011", + "w": 39, + "x": 0, + "y": 33 + }, + "panelIndex": "7cf7b2c8-8678-497a-b93f-4a3593425011", + "panelRefName": "panel_6", + "version": "7.5.1" + } + ], + "timeRestore": false, + "title": "[Dnsbeat CNAME] Overview", + "version": 1 + }, + "id": "5495dd10-37b4-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "f27d19e0-37b3-11ea-bc78-59a1f2dd0c3f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "85156dc0-37af-11ea-bc78-59a1f2dd0c3f", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "2e59cbb0-37b0-11ea-bc78-59a1f2dd0c3f", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "b9c4b9e0-37b4-11ea-bc78-59a1f2dd0c3f", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "a4425400-37b5-11ea-bc78-59a1f2dd0c3f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "bb143260-37b6-11ea-bc78-59a1f2dd0c3f", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "5ede68a0-37af-11ea-bc78-59a1f2dd0c3f", + "name": "panel_6", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-01-15T16:48:53.764Z", + "version": "Wzc5LDFd" + }, + { + "attributes": { + "description": "The count of unique CNAME entries over time.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Unique Entry Count Over Time [Dnsbeat CNAME]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Timestamp", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Domain", + "field": "event.dataset", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "HH:mm:ss" + } + }, + "params": { + "bounds": { + "max": "2020-01-15T16:26:55.502Z", + "min": "2020-01-15T16:11:55.502Z" + }, + "date": true, + "format": "HH:mm:ss", + "interval": "PT30S", + "intervalESUnit": "s", + "intervalESValue": 30 + } + }, + "y": [ + { + "accessor": 2, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "grid": { + "categoryLines": false + }, + "labels": {}, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Entries" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#34130C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Entries" + }, + "type": "value" + } + ] + }, + "title": "Unique Entry Count Over Time [Dnsbeat CNAME]", + "type": "line" + } + }, + "id": "f27d19e0-37b3-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "5ede68a0-37af-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:56:47.564Z", + "version": "WzkyLDFd" + }, + { + "attributes": { + "description": "A count of all CNAME entries.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Entry Count [Dnsbeat CNAME]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Monitored Entries" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Entry Count [Dnsbeat CNAME]", + "type": "metric" + } + }, + "id": "85156dc0-37af-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "5ede68a0-37af-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:50:00.442Z", + "version": "WzgyLDFd" + }, + { + "attributes": { + "description": "A count of unique CNAME entries.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Unique Entry Count [Dnsbeat CNAME]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Monitored Unique Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Unique Entry Count [Dnsbeat CNAME]", + "type": "metric" + } + }, + "id": "2e59cbb0-37b0-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "5ede68a0-37af-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:55:55.066Z", + "version": "WzkxLDFd" + }, + { + "attributes": { + "description": "A repartition of CNAME entry targets.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Unique Entry Target Repartition [Dnsbeat CNAME]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Entry Count", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Domain", + "field": "dns.rdata.sld", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Unique Entry Target Repartition [Dnsbeat CNAME]", + "type": "pie" + } + }, + "id": "b9c4b9e0-37b4-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "5ede68a0-37af-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:59:18.059Z", + "version": "Wzk1LDFd" + }, + { + "attributes": { + "description": "A count of unique CNAME targets per unique name.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Entry Target Count [Dnsbeat CNAME]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Targets", + "field": "dns.rdata.name" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Domain", + "field": "dns.name", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Entry Target Count [Dnsbeat CNAME]", + "type": "table" + } + }, + "id": "a4425400-37b5-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "5ede68a0-37af-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:51:34.621Z", + "version": "Wzg0LDFd" + }, + { + "attributes": { + "description": "A count of unique names per unique CNAME target.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Entry Target Source Count [Dnsbeat CNAME]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Sources", + "field": "dns.name" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Domain", + "field": "dns.rdata.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Entry Target Source Count [Dnsbeat CNAME]", + "type": "table" + } + }, + "id": "bb143260-37b6-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "5ede68a0-37af-11ea-bc78-59a1f2dd0c3f", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:52:29.842Z", + "version": "Wzg1LDFd" + }, + { + "attributes": { + "columns": [ + "dns.name", + "dns.rdata.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "dns.type", + "negate": false, + "params": { + "query": "CNAME" + }, + "type": "phrase" + }, + "query": { + "match": { + "dns.type": { + "query": "CNAME", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "All Entries [Dnsbeat CNAME]", + "version": 1 + }, + "id": "5ede68a0-37af-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-01-15T16:37:08.299Z", + "version": "WzY5LDFd" + } + ], + "version": "7.5.1" +} diff --git a/_meta/kibana/7/dashboard/overview.json b/_meta/kibana/7/dashboard/overview.json new file mode 100644 index 0000000..b83851f --- /dev/null +++ b/_meta/kibana/7/dashboard/overview.json @@ -0,0 +1,971 @@ +{ + "objects": [ + { + "attributes": { + "description": "Monitor all entries.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "14b5d224-1eba-4740-827d-f655c76b8c95", + "w": 26, + "x": 0, + "y": 0 + }, + "panelIndex": "14b5d224-1eba-4740-827d-f655c76b8c95", + "panelRefName": "panel_0", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "18fd0fbe-875b-423c-ad98-0877636aba31", + "w": 13, + "x": 26, + "y": 0 + }, + "panelIndex": "18fd0fbe-875b-423c-ad98-0877636aba31", + "panelRefName": "panel_1", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "fd90495e-be53-4f6e-96a7-d66c12d6cf21", + "w": 13, + "x": 26, + "y": 8 + }, + "panelIndex": "fd90495e-be53-4f6e-96a7-d66c12d6cf21", + "panelRefName": "panel_2", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "4ba9be4b-cfef-4d02-a0de-e615866d8b6d", + "w": 39, + "x": 0, + "y": 16 + }, + "panelIndex": "4ba9be4b-cfef-4d02-a0de-e615866d8b6d", + "panelRefName": "panel_3", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "50265aef-27ad-4703-b2d3-90f25a3e194d", + "w": 26, + "x": 0, + "y": 23 + }, + "panelIndex": "50265aef-27ad-4703-b2d3-90f25a3e194d", + "panelRefName": "panel_4", + "version": "7.5.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "afb4c011-0c89-4556-8fb2-182891fb3cbc", + "w": 13, + "x": 26, + "y": 23 + }, + "panelIndex": "afb4c011-0c89-4556-8fb2-182891fb3cbc", + "panelRefName": "panel_5", + "version": "7.5.1" + } + ], + "timeRestore": false, + "title": "[Dnsbeat] Overview", + "version": 1 + }, + "id": "d8a9fee0-37b1-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "fb2570c0-36ef-11ea-9e5c-d1ad2d4ef5fc", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "dd0de690-36f3-11ea-9e5c-d1ad2d4ef5fc", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "fd0334a0-36f3-11ea-9e5c-d1ad2d4ef5fc", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "820196c0-36ee-11ea-9e5c-d1ad2d4ef5fc", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "0dfaa940-36f5-11ea-9e5c-d1ad2d4ef5fc", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "43c790c0-37b2-11ea-bc78-59a1f2dd0c3f", + "name": "panel_5", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-01-15T16:49:25.548Z", + "version": "WzgwLDFd" + }, + { + "attributes": { + "description": "The count of unique entries over time.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Unique Entry Count Over Time [Dnsbeat]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Timestamp", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Domain", + "field": "event.dataset", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "HH:mm:ss" + } + }, + "params": { + "bounds": { + "max": "2020-01-14T17:04:09.258Z", + "min": "2020-01-14T16:49:09.258Z" + }, + "date": true, + "format": "HH:mm:ss", + "interval": "PT30S", + "intervalESUnit": "s", + "intervalESValue": 30 + } + }, + "y": [ + { + "accessor": 2, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Entries" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#34130C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Entries" + }, + "type": "value" + } + ] + }, + "title": "Unique Entry Count Over Time [Dnsbeat]", + "type": "line" + } + }, + "id": "fb2570c0-36ef-11ea-9e5c-d1ad2d4ef5fc", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:57:05.827Z", + "version": "WzkzLDFd" + }, + { + "attributes": { + "description": "A count of all entries.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Entry Count [Dnsbeat]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Monitored Entries" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Entry Count [Dnsbeat]", + "type": "metric" + } + }, + "id": "dd0de690-36f3-11ea-9e5c-d1ad2d4ef5fc", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:50:22.142Z", + "version": "WzgzLDFd" + }, + { + "attributes": { + "description": "A count of unique entries.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Unique Entry Count [Dnsbeat]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Unique Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Unique Entry Count [Dnsbeat]", + "type": "metric" + } + }, + "id": "fd0334a0-36f3-11ea-9e5c-d1ad2d4ef5fc", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:55:43.475Z", + "version": "WzkwLDFd" + }, + { + "attributes": { + "description": "A control to filter any entry given the zone name, entry type or TTL.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Filter [Dnsbeat]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "event.dataset", + "id": "1579020752733", + "indexPatternRefName": "control_0_index_pattern", + "label": "Domain", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "dns.type", + "id": "1579023825052", + "indexPatternRefName": "control_1_index_pattern", + "label": "Entry Type", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "dns.ttl", + "id": "1579105015267", + "indexPatternRefName": "control_2_index_pattern", + "label": "TTL", + "options": { + "decimalPlaces": 2, + "step": 50 + }, + "parent": "", + "type": "range" + } + ], + "pinFilters": true, + "updateFiltersOnChange": true, + "useTimeFilter": false + }, + "title": "Filter [Dnsbeat]", + "type": "input_control_vis" + } + }, + "id": "820196c0-36ee-11ea-9e5c-d1ad2d4ef5fc", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "dnsbeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "dnsbeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "dnsbeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:53:25.552Z", + "version": "Wzg2LDFd" + }, + { + "attributes": { + "description": "The count of unique entries per type over time.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Unique Entry Count Per Type Over Time [Dnsbeat]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Timestamp", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Domain", + "field": "event.dataset", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 3 + }, + "schema": "group", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Type", + "field": "dns.type", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "HH:mm:ss" + } + }, + "params": { + "bounds": { + "max": "2020-01-14T17:41:59.357Z", + "min": "2020-01-14T17:26:59.356Z" + }, + "date": true, + "format": "HH:mm:ss", + "interval": "PT30S", + "intervalESUnit": "s", + "intervalESValue": 30 + } + }, + "y": [ + { + "accessor": 3, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "bottom", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Entries" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#34130C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Entries" + }, + "type": "value" + } + ] + }, + "title": "Unique Entry Count Per Type Over Time [Dnsbeat]", + "type": "line" + } + }, + "id": "0dfaa940-36f5-11ea-9e5c-d1ad2d4ef5fc", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T16:57:56.591Z", + "version": "Wzk0LDFd" + }, + { + "attributes": { + "description": "A repartition of entry types.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Unique Entry Type Repartition [Dnsbeat]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Unique Entries", + "field": "event.original" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Type", + "field": "dns.type", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Unique Entry Type Repartition [Dnsbeat]", + "type": "pie" + } + }, + "id": "43c790c0-37b2-11ea-bc78-59a1f2dd0c3f", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "dnsbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-01-15T17:00:03.274Z", + "version": "Wzk2LDFd" + } + ], + "version": "7.5.1" +} diff --git a/fields.yml b/fields.yml deleted file mode 100644 index 0ae0f2f..0000000 --- a/fields.yml +++ /dev/null @@ -1,3135 +0,0 @@ -# WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.1.0. -# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - -- key: ecs - title: ECS - description: ECS Fields. - fields: - - name: '@timestamp' - level: core - required: true - type: date - description: 'Date/time when the event originated. - - This is the date/time extracted from the event, typically representing when - the event was generated by the source. - - If the event source has no original timestamp, this value is typically populated - by the first time the event was received by the pipeline. - - Required field for all events.' - example: '2016-05-23T08:05:34.853Z' - - name: labels - level: core - type: object - object_type: keyword - description: 'Custom key/value pairs. - - Can be used to add meta information to events. Should not contain nested objects. - All values are stored as keyword. - - Example: `docker` and `k8s` labels.' - example: - application: foo-bar - env: production - - name: message - level: core - type: text - description: 'For log events the message field contains the log message, optimized - for viewing in a log viewer. - - For structured logs without an original message field, other fields can be concatenated - to form a human-readable summary of the event. - - If multiple messages exist, they can be combined into one message.' - example: Hello World - - name: tags - level: core - type: keyword - ignore_above: 1024 - description: List of keywords used to tag each event. - example: '["production", "env2"]' - - name: agent - title: Agent - group: 2 - description: 'The agent fields contain the data about the software entity, if - any, that collects, detects, or observes events on a host, or takes measurements - on a host. - - Examples include Beats. Agents may also run on observers. ECS agent.* fields - shall be populated with details of the agent running on the host or observer - where the event happened or the measurement was taken.' - footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. - For APM, it is the agent running in the app/service. The agent information does - not change if data is sent through queuing systems like Kafka, Redis, or processing - systems such as Logstash or APM Server.' - type: group - fields: - - name: ephemeral_id - level: extended - type: keyword - ignore_above: 1024 - description: 'Ephemeral identifier of this agent (if one exists). - - This id normally changes across restarts, but `agent.id` does not.' - example: 8a4f500f - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique identifier of this agent (if one exists). - - Example: For Beats this would be beat.id.' - example: 8a4f500d - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Custom name of the agent. - - This is a name that can be given to an agent. This can be helpful if for example - two Filebeat instances are running on the same host but a human readable separation - is needed on which Filebeat instance data is coming from. - - If no name is given, the name is often left empty.' - example: foo - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of the agent. - - The agent type stays always the same and should be given by the agent used. - In case of Filebeat the agent would always be Filebeat also if two Filebeat - instances are run on the same machine.' - example: filebeat - - name: version - level: core - type: keyword - ignore_above: 1024 - description: Version of the agent. - example: 6.0.0-rc2 - - name: as - title: Autonomous System - group: 2 - description: An autonomous system (AS) is a collection of connected Internet Protocol - (IP) routing prefixes under the control of one or more network operators on - behalf of a single administrative entity or domain that presents a common, clearly - defined routing policy to the internet. - type: group - fields: - - name: number - level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - - name: organization.name - level: extended - type: keyword - ignore_above: 1024 - description: Organization name. - example: Google LLC - - name: client - title: Client - group: 2 - description: 'A client is defined as the initiator of a network connection for - events regarding sessions, connections, or bidirectional flow records. - - For TCP events, the client is the initiator of the TCP connection that sends - the SYN packet(s). For other protocols, the client is generally the initiator - or requestor in the network transaction. Some systems use the term "originator" - to refer the client in TCP connections. The client fields describe details about - the system acting as the client in the network event. Client fields are usually - populated in conjunction with server fields. Client fields are generally not - populated for packet-level events. - - Client / server representations can add semantic context to an exchange, which - is helpful to visualize the data in certain situations. If your context falls - in that category, you should still ensure that source and destination are filled - appropriately.' - type: group - fields: - - name: address - level: extended - type: keyword - ignore_above: 1024 - description: 'Some event client addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - - name: as.number - level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - - name: as.organization.name - level: extended - type: keyword - ignore_above: 1024 - description: Organization name. - example: Google LLC - - name: bytes - level: core - type: long - format: bytes - description: Bytes sent from the client to the server. - example: 184 - - name: domain - level: core - type: keyword - ignore_above: 1024 - description: Client domain. - - name: geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: geo.country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: geo.country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: geo.region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: geo.region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: ip - level: core - type: ip - description: 'IP address of the client. - - Can be one or multiple IPv4 or IPv6 addresses.' - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: MAC address of the client. - - name: nat.ip - level: extended - type: ip - description: 'Translated IP of source based NAT sessions (e.g. internal client - to internet). - - Typically connections traversing load balancers, firewalls, or routers.' - - name: nat.port - level: extended - type: long - format: string - description: 'Translated port of source based NAT sessions (e.g. internal client - to internet). - - Typically connections traversing load balancers, firewalls, or routers.' - - name: packets - level: core - type: long - description: Packets sent from the client to the server. - example: 12 - - name: port - level: core - type: long - format: string - description: Port of the client. - - name: user.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - - name: user.email - level: extended - type: keyword - ignore_above: 1024 - description: User email address. - - name: user.full_name - level: extended - type: keyword - ignore_above: 1024 - description: User's full name, if available. - example: Albert Einstein - - name: user.group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: user.group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: user.hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - - name: user.id - level: core - type: keyword - ignore_above: 1024 - description: One or multiple unique identifiers of the user. - - name: user.name - level: core - type: keyword - ignore_above: 1024 - description: Short name or login of the user. - example: albert - - name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming - from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data - from its host, the cloud info contains the data about this machine. If Metricbeat - runs on a remote machine outside the cloud and fetches data from a service running - in the cloud, the field contains cloud data from the machine the service is - running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different - entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, - or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific - container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: image.tag - level: extended - type: keyword - ignore_above: 1024 - description: Container image tag. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - - name: runtime - level: extended - type: keyword - ignore_above: 1024 - description: Runtime managing this container. - example: docker - - name: destination - title: Destination - group: 2 - description: 'Destination fields describe details about the destination of a packet/event. - - Destination fields are usually populated in conjunction with source fields.' - type: group - fields: - - name: address - level: extended - type: keyword - ignore_above: 1024 - description: 'Some event destination addresses are defined ambiguously. The - event will sometimes list an IP, a domain or a unix socket. You should always - store the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - - name: as.number - level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - - name: as.organization.name - level: extended - type: keyword - ignore_above: 1024 - description: Organization name. - example: Google LLC - - name: bytes - level: core - type: long - format: bytes - description: Bytes sent from the destination to the source. - example: 184 - - name: domain - level: core - type: keyword - ignore_above: 1024 - description: Destination domain. - - name: geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: geo.country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: geo.country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: geo.region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: geo.region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: ip - level: core - type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: MAC address of the destination. - - name: nat.ip - level: extended - type: ip - description: 'Translated ip of destination based NAT sessions (e.g. internet - to private DMZ) - - Typically used with load balancers, firewalls, or routers.' - - name: nat.port - level: extended - type: long - format: string - description: 'Port the source session is translated to by NAT Device. - - Typically used with load balancers, firewalls, or routers.' - - name: packets - level: core - type: long - description: Packets sent from the destination to the source. - example: 12 - - name: port - level: core - type: long - format: string - description: Port of the destination. - - name: user.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - - name: user.email - level: extended - type: keyword - ignore_above: 1024 - description: User email address. - - name: user.full_name - level: extended - type: keyword - ignore_above: 1024 - description: User's full name, if available. - example: Albert Einstein - - name: user.group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: user.group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: user.hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - - name: user.id - level: core - type: keyword - ignore_above: 1024 - description: One or multiple unique identifiers of the user. - - name: user.name - level: core - type: keyword - ignore_above: 1024 - description: Short name or login of the user. - example: albert - - name: dns - title: DNS - group: 2 - description: 'Fields describing DNS queries and answers. - - DNS events should either represent a single DNS query prior to getting answers - (`dns.type:query`) or they should represent a full exchange and contain the - query details as well as all of the answers that were provided for this query - (`dns.type:answer`).' - type: group - fields: - - name: answers - level: extended - type: object - object_type: keyword - description: 'An array containing an object for each answer section returned - by the server. - - The main keys that should be present in these objects are defined by ECS. - Records that have more information may contain more keys than what ECS defines. - - Not all DNS data sources give all details about DNS answers. At minimum, answer - objects must contain the `data` key. If more information is available, map - as much of it to ECS as possible, and add any additional fields to the answer - objects as custom fields.' - - name: answers.class - level: extended - type: keyword - ignore_above: 1024 - description: The class of DNS data contained in this resource record. - example: IN - - name: answers.data - level: extended - type: keyword - ignore_above: 1024 - description: 'The data describing the resource. - - The meaning of this data depends on the type and class of the resource record.' - example: 10.10.10.10 - - name: answers.name - level: extended - type: keyword - ignore_above: 1024 - description: 'The domain name to which this resource record pertains. - - If a chain of CNAME is being resolved, each answer''s `name` should be the - one that corresponds with the answer''s `data`. It should not simply be the - original `question.name` repeated.' - example: www.google.com - - name: answers.ttl - level: extended - type: long - description: The time interval in seconds that this resource record may be cached - before it should be discarded. Zero values mean that the data should not be - cached. - example: 180 - - name: answers.type - level: extended - type: keyword - ignore_above: 1024 - description: The type of data contained in this resource record. - example: CNAME - - name: header_flags - level: extended - type: keyword - ignore_above: 1024 - description: 'Array of 2 letter DNS header flags. - - Expected values are: AA, TC, RD, RA, AD, CD, DO.' - example: - - RD - - RA - - name: id - level: extended - type: keyword - ignore_above: 1024 - description: The DNS packet identifier assigned by the program that generated - the query. The identifier is copied to the response. - example: 62111 - - name: op_code - level: extended - type: keyword - ignore_above: 1024 - description: The DNS operation code that specifies the kind of query in the - message. This value is set by the originator of a query and copied into the - response. - example: QUERY - - name: question.class - level: extended - type: keyword - ignore_above: 1024 - description: The class of of records being queried. - example: IN - - name: question.name - level: extended - type: keyword - ignore_above: 1024 - description: 'The name being queried. - - If the name field contains non-printable characters (below 32 or above 126), - those characters should be represented as escaped base 10 integers (\DDD). - Back slashes and quotes should be escaped. Tabs, carriage returns, and line - feeds should be converted to \t, \r, and \n respectively.' - example: www.google.com - - name: question.registered_domain - level: extended - type: keyword - ignore_above: 1024 - description: 'The highest registered domain, stripped of the subdomain. - - For example, the registered domain for "foo.google.com" is "google.com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: google.com - - name: question.type - level: extended - type: keyword - ignore_above: 1024 - description: The type of record being queried. - example: AAAA - - name: resolved_ip - level: extended - type: ip - description: 'Array containing all IPs seen in `answers.data`. - - The `answers` array can be difficult to use, because of the variety of data - formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` - makes it possible to index them as IP addresses, and makes them easier to - visualize and query for.' - example: - - 10.10.10.10 - - 10.10.10.11 - - name: response_code - level: extended - type: keyword - ignore_above: 1024 - description: The DNS response code. - example: NOERROR - - name: type - level: extended - type: keyword - ignore_above: 1024 - description: 'The type of DNS event captured, query or answer. - - If your source of DNS events only gives you DNS queries, you should only create - dns events of type `dns.type:query`. - - If your source of DNS events gives you answers as well, you should create - one event per query (optionally as soon as the query is seen). And a second - event containing all query details as well as an array of answers.' - example: answer - - name: ecs - title: ECS - group: 2 - description: Meta-information specific to ECS. - type: group - fields: - - name: version - level: core - required: true - type: keyword - ignore_above: 1024 - description: 'ECS version this event conforms to. `ecs.version` is a required - field and must exist in all events. - - When querying across multiple indices -- which may conform to slightly different - ECS versions -- this field lets integrations adjust to the schema version - of the events.' - example: 1.0.0 - - name: error - title: Error - group: 2 - description: 'These fields can represent errors of any kind. - - Use them for errors that happen while fetching events or in cases where the - event itself contains an error.' - type: group - fields: - - name: code - level: core - type: keyword - ignore_above: 1024 - description: Error code describing the error. - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique identifier for the error. - - name: message - level: core - type: text - description: Error message. - - name: event - title: Event - group: 2 - description: 'The event fields are used for context information about the log - or metric event itself. - - A log is defined as an event containing details of something that happened. - Log events must include the time at which the thing happened. Examples of log - events include a process starting on a host, a network packet being sent from - a source to a destination, or a network connection between a client and a server - being initiated or closed. A metric is defined as an event containing one or - more numerical or categorical measurements and the time at which the measurement - was taken. Examples of metric events include memory pressure measured on a host, - or vulnerabilities measured on a scanned host.' - type: group - fields: - - name: action - level: core - type: keyword - ignore_above: 1024 - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change - - name: category - level: core - type: keyword - ignore_above: 1024 - description: 'Event category. - - This contains high-level information about the contents of the event. It is - more generic than `event.action`, in the sense that typically a category contains - multiple actions. Warning: In future versions of ECS, we plan to provide a - list of acceptable values for this field, please use with caution.' - example: user-management - - name: code - level: extended - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 - - name: created - level: core - type: date - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - - name: dataset - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. - - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access - - name: duration - level: core - type: long - format: duration - input_format: nanoseconds - output_format: asMilliseconds - output_precision: 1 - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference - between the end and start time.' - - name: end - level: extended - type: date - description: event.end contains the date when the event ended or when the activity - was last observed. - - name: hash - level: extended - type: keyword - ignore_above: 1024 - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique ID to describe the event. - example: 8a4f500d - - name: kind - level: extended - type: keyword - ignore_above: 1024 - description: 'The kind of the event. - - This gives information about what type of information the event contains, - without being specific to the contents of the event. Examples are `event`, - `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a - list of acceptable values for this field, please use with caution.' - example: state - - name: module - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache - - name: original - level: core - type: keyword - ignore_above: 1024 - description: 'Raw text message of entire event. Used to demonstrate log integrity. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - - name: outcome - level: extended - type: keyword - ignore_above: 1024 - description: 'The outcome of the event. - - If the event describes an action, this fields contains the outcome of that - action. Examples outcomes are `success` and `failure`. Warning: In future - versions of ECS, we plan to provide a list of acceptable values for this field, - please use with caution.' - example: success - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - - name: risk_score - level: core - type: float - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. - - name: risk_score_norm - level: extended - type: float - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - - name: sequence - level: extended - type: long - format: string - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regarless of the timestamp precision.' - - name: severity - level: core - type: long - format: string - description: Severity describes the original severity of the event. What the - different severity values mean can very different between use cases. It's - up to the implementer to make sure severities are consistent across events. - example: '7' - - name: start - level: extended - type: date - description: event.start contains the date when the event started or when the - activity was first observed. - - name: timezone - level: extended - type: keyword - ignore_above: 1024 - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Reserved for future usage. - - Please avoid using this field for user data.' - - name: file - title: File - group: 2 - description: 'A file is defined as a set of information that has been created - on, or has existed on a filesystem. - - File objects can be associated with host events, network events, and/or file - events (e.g., those produced by File Integrity Monitoring [FIM] products or - services). File fields provide details about the affected file associated with - the event or metric.' - type: group - fields: - - name: accessed - level: extended - type: date - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - - name: created - level: extended - type: date - description: 'File creation time. - - Note that not all filesystems store the creation time.' - - name: ctime - level: extended - type: date - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - - name: device - level: extended - type: keyword - ignore_above: 1024 - description: Device that is the source of the file. - example: sda - - name: directory - level: extended - type: keyword - ignore_above: 1024 - description: Directory where the file is located. - example: /home/alice - - name: extension - level: extended - type: keyword - ignore_above: 1024 - description: File extension. - example: png - - name: gid - level: extended - type: keyword - ignore_above: 1024 - description: Primary group ID (GID) of the file. - example: '1001' - - name: group - level: extended - type: keyword - ignore_above: 1024 - description: Primary group name of the file. - example: alice - - name: hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: hash.sha1 - level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: hash.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: hash.sha512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. - - name: inode - level: extended - type: keyword - ignore_above: 1024 - description: Inode representing the file in the filesystem. - example: '256383' - - name: mode - level: extended - type: keyword - ignore_above: 1024 - description: Mode of the file in octal representation. - example: '0640' - - name: mtime - level: extended - type: date - description: Last time the file content was modified. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the file including the extension, without the directory. - example: example.png - - name: owner - level: extended - type: keyword - ignore_above: 1024 - description: File owner's username. - example: alice - - name: path - level: extended - type: keyword - ignore_above: 1024 - description: Full path to the file. - example: /home/alice/example.png - - name: size - level: extended - type: long - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - - name: target_path - level: extended - type: keyword - ignore_above: 1024 - description: Target path for symlinks. - - name: type - level: extended - type: keyword - ignore_above: 1024 - description: File type (file, dir, or symlink). - example: file - - name: uid - level: extended - type: keyword - ignore_above: 1024 - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - - name: geo - title: Geo - group: 2 - description: 'Geo fields can carry data about a specific location related to an - event. - - This geolocation information can be derived from techniques such as Geo IP, - or be user-supplied.' - type: group - fields: - - name: city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: group - title: Group - group: 2 - description: The group fields are meant to represent groups that are relevant - to the event. - type: group - fields: - - name: id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: hash - title: Hash - group: 2 - description: 'The hash fields represent different hash algorithms and their values. - - Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for - other hashes by lowercasing the hash algorithm name and using underscore separators - as appropriate (snake case, e.g. sha3_512).' - type: group - fields: - - name: md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: sha1 - level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: sha512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. - - name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the - event happened, or from which the measurement was taken. Host types include - hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: geo.country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: geo.country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: geo.region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: geo.region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified - domain name, or a name specified by the user. The sender decides which value - to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, - this could be the container, for example, or other information meaningful - in your environment.' - - name: uptime - level: extended - type: long - description: Seconds the host has been up. - example: 1325 - - name: user.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - - name: user.email - level: extended - type: keyword - ignore_above: 1024 - description: User email address. - - name: user.full_name - level: extended - type: keyword - ignore_above: 1024 - description: User's full name, if available. - example: Albert Einstein - - name: user.group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: user.group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: user.hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - - name: user.id - level: core - type: keyword - ignore_above: 1024 - description: One or multiple unique identifiers of the user. - - name: user.name - level: core - type: keyword - ignore_above: 1024 - description: Short name or login of the user. - example: albert - - name: http - title: HTTP - group: 2 - description: Fields related to HTTP activity. Use the `url` field set to store - the url of the request. - type: group - fields: - - name: request.body.bytes - level: extended - type: long - format: bytes - description: Size in bytes of the request body. - example: 887 - - name: request.body.content - level: extended - type: keyword - ignore_above: 1024 - description: The full HTTP request body. - example: Hello world - - name: request.bytes - level: extended - type: long - format: bytes - description: Total size in bytes of the request (body and headers). - example: 1437 - - name: request.method - level: extended - type: keyword - ignore_above: 1024 - description: 'HTTP request method. - - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' - example: get, post, put - - name: request.referrer - level: extended - type: keyword - ignore_above: 1024 - description: Referrer for this HTTP request. - example: https://blog.example.com/ - - name: response.body.bytes - level: extended - type: long - format: bytes - description: Size in bytes of the response body. - example: 887 - - name: response.body.content - level: extended - type: keyword - ignore_above: 1024 - description: The full HTTP response body. - example: Hello world - - name: response.bytes - level: extended - type: long - format: bytes - description: Total size in bytes of the response (body and headers). - example: 1437 - - name: response.status_code - level: extended - type: long - format: string - description: HTTP response status code. - example: 404 - - name: version - level: extended - type: keyword - ignore_above: 1024 - description: HTTP version. - example: 1.1 - - name: log - title: Log - group: 2 - description: Fields which are specific to log events. - type: group - fields: - - name: level - level: core - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event. - - Some examples are `warn`, `error`, `i`.' - example: err - - name: logger - level: core - type: keyword - ignore_above: 1024 - description: The name of the logger inside an application. This is usually the - name of the class which initialized the logger, or can be a custom name. - example: org.elasticsearch.bootstrap.Bootstrap - - name: original - level: core - type: keyword - ignore_above: 1024 - description: 'This is the original log message and contains the full log message - before splitting it up in multiple parts. - - In contrast to the `message` field which can contain an extracted part of - the log message, this field contains the original, full log message. It can - have already some modifications applied like encoding or new lines removed - to clean up the log message. - - This field is not indexed and doc_values are disabled so it can''t be queried - but the value can be retrieved from `_source`.' - example: Sep 19 08:26:10 localhost My log - - name: network - title: Network - group: 2 - description: 'The network is defined as the communication path over which a host - or network event happens. - - The network.* fields should be populated with details about the network activity - associated with an event.' - type: group - fields: - - name: application - level: extended - type: keyword - ignore_above: 1024 - description: 'A name given to an application level protocol. This can be arbitrarily - assigned for things like microservices, but also apply to things like skype, - icq, facebook, twitter. This would be used in situations where the vendor - or service can be decoded such as from the source/dest IP owners, ports, or - wire format. - - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' - example: aim - - name: bytes - level: core - type: long - format: bytes - description: 'Total bytes transferred in both directions. - - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their - sum.' - example: 368 - - name: community_id - level: extended - type: keyword - ignore_above: 1024 - description: 'A hash of source and destination IPs and ports, as well as the - protocol used in a communication. This is a tool-agnostic standard to identify - flows. - - Learn more at https://github.com/corelight/community-id-spec.' - example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= - - name: direction - level: core - type: keyword - ignore_above: 1024 - description: "Direction of the network traffic.\nRecommended values are:\n \ - \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ - \ mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ - \ monitoring context, populate this field from the point of view of your network\ - \ perimeter." - example: inbound - - name: forwarded_ip - level: core - type: ip - description: Host IP address when the source IP address is the proxy. - example: 192.1.1.2 - - name: iana_number - level: extended - type: keyword - ignore_above: 1024 - description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). - Standardized list of protocols. This aligns well with NetFlow and sFlow related - logs which use the IANA Protocol Number. - example: 6 - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Name given by operators to sections of their network. - example: Guest Wifi - - name: packets - level: core - type: long - description: 'Total packets transferred in both directions. - - If `source.packets` and `destination.packets` are known, `network.packets` - is their sum.' - example: 24 - - name: protocol - level: core - type: keyword - ignore_above: 1024 - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. - - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' - example: http - - name: transport - level: core - type: keyword - ignore_above: 1024 - description: 'Same as network.iana_number, but instead using the Keyword name - of the transport layer (udp, tcp, ipv6-icmp, etc.) - - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' - example: tcp - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, - ipsec, pim, etc - - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' - example: ipv4 - - name: observer - title: Observer - group: 2 - description: 'An observer is defined as a special network, security, or application - device used to detect, observe, or create network, security, or application-related - events and metrics. - - This could be a custom hardware appliance or a server that has been configured - to run special network, security, or application software. Examples include - firewalls, intrusion detection/prevention systems, network monitoring sensors, - web application firewalls, data loss prevention systems, and APM servers. The - observer.* fields shall be populated with details of the system, if any, that - detects, observes and/or creates a network, security, or application event or - metric. Message queues and ETL components used in processing events or metrics - are not considered observers in ECS.' - type: group - fields: - - name: geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: geo.country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: geo.country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: geo.region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: geo.region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: Hostname of the observer. - - name: ip - level: core - type: ip - description: IP address of the observer. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: MAC address of the observer - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: serial_number - level: extended - type: keyword - ignore_above: 1024 - description: Observer serial number. - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'The type of the observer the data is coming from. - - There is no predefined list of observer types. Some examples are `forwarder`, - `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' - example: firewall - - name: vendor - level: core - type: keyword - ignore_above: 1024 - description: observer vendor information. - - name: version - level: core - type: keyword - ignore_above: 1024 - description: Observer version. - - name: organization - title: Organization - group: 2 - description: 'The organization fields enrich data with information about the company - or entity the data is associated with. - - These fields help you arrange or filter data stored in an index by one or multiple - organizations.' - type: group - fields: - - name: id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the organization. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Organization name. - - name: os - title: Operating System - group: 2 - description: The OS fields contain information about the operating system. - type: group - fields: - - name: family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: process - title: Process - group: 2 - description: 'These fields contain information about a process. - - These fields can help you correlate metrics information with a process id/name - from a log message. The `process.pid` often stays in the metric itself and - is copied to the global field for correlation.' - type: group - fields: - - name: args - level: extended - type: keyword - ignore_above: 1024 - description: 'Array of process arguments. - - May be filtered to protect sensitive information.' - example: - - ssh - - -l - - user - - 10.0.0.16 - - name: executable - level: extended - type: keyword - ignore_above: 1024 - description: Absolute path to the process executable. - example: /usr/bin/ssh - - name: hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: hash.sha1 - level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: hash.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: hash.sha512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - example: 4242 - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - example: 4241 - - name: start - level: extended - type: date - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - - name: thread.id - level: extended - type: long - format: string - description: Thread ID. - example: 4242 - - name: thread.name - level: extended - type: keyword - ignore_above: 1024 - description: Thread name. - example: thread-0 - - name: title - level: extended - type: keyword - ignore_above: 1024 - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - - name: uptime - level: extended - type: long - description: Seconds the process has been up. - example: 1325 - - name: working_directory - level: extended - type: keyword - ignore_above: 1024 - description: The working directory of the process. - example: /home/alice - - name: related - title: Related - group: 2 - description: 'This field set is meant to facilitate pivoting around a piece of - data. - - Some pieces of information can be seen in many places in an ECS event. To facilitate - searching for them, store an array of all seen values to their corresponding - field in `related.`. - - A concrete example is IP addresses, which can be under host, observer, source, - destination, client, server, and network.forwarded_ip. If you append all IPs - to `related.ip`, you can then search for a given IP trivially, no matter where - it appeared, by querying `related.ip:a.b.c.d`.' - type: group - fields: - - name: ip - level: extended - type: ip - description: All of the IPs seen on your event. - - name: server - title: Server - group: 2 - description: 'A Server is defined as the responder in a network connection for - events regarding sessions, connections, or bidirectional flow records. - - For TCP events, the server is the receiver of the initial SYN packet(s) of the - TCP connection. For other protocols, the server is generally the responder in - the network transaction. Some systems actually use the term "responder" to refer - the server in TCP connections. The server fields describe details about the - system acting as the server in the network event. Server fields are usually - populated in conjunction with client fields. Server fields are generally not - populated for packet-level events. - - Client / server representations can add semantic context to an exchange, which - is helpful to visualize the data in certain situations. If your context falls - in that category, you should still ensure that source and destination are filled - appropriately.' - type: group - fields: - - name: address - level: extended - type: keyword - ignore_above: 1024 - description: 'Some event server addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - - name: as.number - level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - - name: as.organization.name - level: extended - type: keyword - ignore_above: 1024 - description: Organization name. - example: Google LLC - - name: bytes - level: core - type: long - format: bytes - description: Bytes sent from the server to the client. - example: 184 - - name: domain - level: core - type: keyword - ignore_above: 1024 - description: Server domain. - - name: geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: geo.country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: geo.country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: geo.region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: geo.region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: ip - level: core - type: ip - description: 'IP address of the server. - - Can be one or multiple IPv4 or IPv6 addresses.' - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: MAC address of the server. - - name: nat.ip - level: extended - type: ip - description: 'Translated ip of destination based NAT sessions (e.g. internet - to private DMZ) - - Typically used with load balancers, firewalls, or routers.' - - name: nat.port - level: extended - type: long - format: string - description: 'Translated port of destination based NAT sessions (e.g. internet - to private DMZ) - - Typically used with load balancers, firewalls, or routers.' - - name: packets - level: core - type: long - description: Packets sent from the server to the client. - example: 12 - - name: port - level: core - type: long - format: string - description: Port of the server. - - name: user.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - - name: user.email - level: extended - type: keyword - ignore_above: 1024 - description: User email address. - - name: user.full_name - level: extended - type: keyword - ignore_above: 1024 - description: User's full name, if available. - example: Albert Einstein - - name: user.group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: user.group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: user.hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - - name: user.id - level: core - type: keyword - ignore_above: 1024 - description: One or multiple unique identifiers of the user. - - name: user.name - level: core - type: keyword - ignore_above: 1024 - description: Short name or login of the user. - example: albert - - name: service - title: Service - group: 2 - description: 'The service fields describe the service for or from which the data - was collected. - - These fields help you find and correlate logs for a specific service and version.' - type: group - fields: - - name: ephemeral_id - level: extended - type: keyword - ignore_above: 1024 - description: 'Ephemeral identifier of this service (if one exists). - - This id normally changes across restarts, but `service.id` does not.' - example: 8a4f500f - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the running service. If the service is comprised - of many nodes, the `service.id` should be the same for all nodes. - - This id should uniquely identify the service. This makes it possible to correlate - logs and metrics for one specific service, no matter which particular node - emitted the event. - - Note that if you need to see the events from one specific host of the service, - you should filter on that `host.name` or `host.id` instead.' - example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from. - - The name of the service is normally user given. This allows if two instances - of the same service are running on the same machine they can be differentiated - by the `service.name`. - - Also it allows for distributed services that run on multiple hosts to correlate - the related instances based on the name. - - In the case of Elasticsearch the service.name could contain the cluster name. - For Beats the service.name is by default a copy of the `service.type` field - if no name is specified.' - example: elasticsearch-metrics - - name: state - level: core - type: keyword - ignore_above: 1024 - description: Current state of the service. - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from. - - The type can be used to group and correlate logs and metrics from one service - type. - - Example: If logs or metrics are collected from Elasticsearch, `service.type` - would be `elasticsearch`.' - example: elasticsearch - - name: version - level: core - type: keyword - ignore_above: 1024 - description: 'Version of the service the data was collected from. - - This allows to look at a data set only for a specific version of a service.' - example: 3.2.4 - - name: source - title: Source - group: 2 - description: 'Source fields describe details about the source of a packet/event. - - Source fields are usually populated in conjunction with destination fields.' - type: group - fields: - - name: address - level: extended - type: keyword - ignore_above: 1024 - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - - name: as.number - level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - - name: as.organization.name - level: extended - type: keyword - ignore_above: 1024 - description: Organization name. - example: Google LLC - - name: bytes - level: core - type: long - format: bytes - description: Bytes sent from the source to the destination. - example: 184 - - name: domain - level: core - type: keyword - ignore_above: 1024 - description: Source domain. - - name: geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: geo.country_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: geo.country_name - level: core - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.name - level: extended - type: keyword - ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - - name: geo.region_iso_code - level: core - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: geo.region_name - level: core - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: ip - level: core - type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: MAC address of the source. - - name: nat.ip - level: extended - type: ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - - name: nat.port - level: extended - type: long - format: string - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - - name: packets - level: core - type: long - description: Packets sent from the source to the destination. - example: 12 - - name: port - level: core - type: long - format: string - description: Port of the source. - - name: user.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - - name: user.email - level: extended - type: keyword - ignore_above: 1024 - description: User email address. - - name: user.full_name - level: extended - type: keyword - ignore_above: 1024 - description: User's full name, if available. - example: Albert Einstein - - name: user.group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: user.group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: user.hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - - name: user.id - level: core - type: keyword - ignore_above: 1024 - description: One or multiple unique identifiers of the user. - - name: user.name - level: core - type: keyword - ignore_above: 1024 - description: Short name or login of the user. - example: albert - - name: tracing - title: Tracing - group: 2 - description: Distributed tracing makes it possible to analyze performance throughout - a microservice architecture all in one view. This is accomplished by tracing - all of the requests - from the initial web request in the front-end service - - to queries made through multiple back-end services. - type: group - fields: - - name: trace.id - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the trace. - - A trace groups multiple events like transactions that belong together. For - example, a user request handled by multiple inter-connected services.' - example: 4bf92f3577b34da6a3ce929d0e0e4736 - - name: transaction.id - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the transaction. - - A transaction is the highest level of work measured within a service, such - as a request to a server.' - example: 00f067aa0ba902b7 - - name: url - title: URL - group: 2 - description: URL fields provide support for complete or partial URLs, and supports - the breaking down into scheme, domain, path, and so on. - type: group - fields: - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' - example: www.elastic.co - - name: fragment - level: extended - type: keyword - ignore_above: 1024 - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - - name: full - level: extended - type: keyword - ignore_above: 1024 - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - - name: original - level: extended - type: keyword - ignore_above: 1024 - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - - name: password - level: extended - type: keyword - ignore_above: 1024 - description: Password of the request. - - name: path - level: extended - type: keyword - ignore_above: 1024 - description: Path of the request, such as "/search". - - name: port - level: extended - type: long - format: string - description: Port of the request, such as 443. - example: 443 - - name: query - level: extended - type: keyword - ignore_above: 1024 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases.' - - name: scheme - level: extended - type: keyword - ignore_above: 1024 - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - - name: username - level: extended - type: keyword - ignore_above: 1024 - description: Username of the request. - - name: user - title: User - group: 2 - description: 'The user fields describe information about the user that is relevant - to the event. - - Fields can have one entry or multiple entries. If a user has more than one id, - provide an array that includes all of them.' - type: group - fields: - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - - name: email - level: extended - type: keyword - ignore_above: 1024 - description: User email address. - - name: full_name - level: extended - type: keyword - ignore_above: 1024 - description: User's full name, if available. - example: Albert Einstein - - name: group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: One or multiple unique identifiers of the user. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: Short name or login of the user. - example: albert - - name: user_agent - title: User agent - group: 2 - description: 'The user_agent fields normally come from a browser request. - - They often show up in web service logs coming from the parsed user agent string.' - type: group - fields: - - name: device.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the device. - example: iPhone - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the user agent. - example: Safari - - name: original - level: extended - type: keyword - ignore_above: 1024 - description: Unparsed version of the user_agent. - example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 - (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: version - level: extended - type: keyword - ignore_above: 1024 - description: Version of the user agent. - example: 12.0 -- key: beat - anchor: beat-common - title: Beat - description: > - Contains common beat fields available in all event types. - fields: - - name: agent.hostname - type: keyword - description: Hostname of the agent. - - - name: beat.timezone - type: alias - path: event.timezone - migration: true - - - name: fields - type: object - object_type: keyword - description: > - Contains user configurable fields. - - - name: error - type: group - description: > - Error fields containing additional info in case of errors. - fields: - - name: type - type: keyword - description: > - Error type. - - - name: beat.name - type: alias - path: host.name - migration: true - - - name: beat.hostname - type: alias - path: agent.hostname - migration: true - - - name: timeseries.instance - type: keyword - description: Time series instance id -- key: cloud - title: Cloud provider metadata - description: > - Metadata from cloud providers added by the add_cloud_metadata processor. - fields: - - - name: cloud.project.id - example: project-x - description: > - Name of the project in Google Cloud. - - - name: cloud.image.id - example: ami-abcd1234 - description: > - Image ID for the cloud instance. - - # Alias for old fields - - name: meta.cloud.provider - type: alias - path: cloud.provider - migration: true - - - name: meta.cloud.instance_id - type: alias - path: cloud.instance.id - migration: true - - - name: meta.cloud.instance_name - type: alias - path: cloud.instance.name - migration: true - - - name: meta.cloud.machine_type - type: alias - path: cloud.machine.type - migration: true - - - name: meta.cloud.availability_zone - type: alias - path: cloud.availability_zone - migration: true - - - name: meta.cloud.project_id - type: alias - path: cloud.project.id - migration: true - - - name: meta.cloud.region - type: alias - path: cloud.region - migration: true - - -- key: docker - title: Docker - description: > - Docker stats collected from Docker. - short_config: false - anchor: docker-processor - fields: - - name: docker - type: group - fields: - - name: container.id - type: alias - path: container.id - migration: true - - - name: container.image - type: alias - path: container.image.name - migration: true - - - name: container.name - type: alias - path: container.name - migration: true - - - name: container.labels # TODO: How to map these? - type: object - object_type: keyword - description: > - Image labels. -- key: host - title: Host - description: > - Info collected for the host machine. - anchor: host-processor - fields: - - # ECS fields are in fields.ecs.yml. - # These are the non-ECS fields. - - name: host - type: group - fields: - - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. -- key: kubernetes - title: Kubernetes - description: > - Kubernetes metadata added by the kubernetes processor - short_config: false - anchor: kubernetes-processor - fields: - - name: kubernetes - type: group - fields: - - name: pod.name - type: keyword - description: > - Kubernetes pod name - - - name: pod.uid - type: keyword - description: > - Kubernetes Pod UID - - - name: namespace - type: keyword - description: > - Kubernetes namespace - - - name: node.name - type: keyword - description: > - Kubernetes node name - - - name: labels.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: > - Kubernetes labels map - - - name: annotations.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: > - Kubernetes annotations map - - - name: replicaset.name - type: keyword - description: > - Kubernetes replicaset name - - - name: deployment.name - type: keyword - description: > - Kubernetes deployment name - - - name: statefulset.name - type: keyword - description: > - Kubernetes statefulset name - - - name: container.name - type: keyword - description: > - Kubernetes container name - - - name: container.image - type: keyword - description: > - Kubernetes container image -- key: process - title: Process - description: > - Process metadata fields - fields: - - name: process - type: group - fields: - - name: exe - type: alias - path: process.executable - migration: true -- key: jolokia-autodiscover - title: Jolokia Discovery autodiscover provider - description: > - Metadata from Jolokia Discovery added by the jolokia provider. - fields: - - name: jolokia.agent.version - type: keyword - description: > - Version number of jolokia agent. - - name: jolokia.agent.id - type: keyword - description: > - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - - name: jolokia.server.product - type: keyword - description: > - The container product if detected. - - name: jolokia.server.version - type: keyword - description: > - The container's version (if detected). - - name: jolokia.server.vendor - type: keyword - description: > - The vendor of the container the agent is running in. - - name: jolokia.url - type: keyword - description: > - The URL how this agent can be contacted. - - name: jolokia.secured - type: boolean - description: > - Whether the agent was configured for authentication or not. -- key: dnsbeat - title: dnsbeat - description: Fields from the DNS zones. - fields: - - name: dns - type: group - required: true - description: All fields specific to the Resource Record are defined here. - fields: - - name: name - type: keyword - required: true - description: The domain name where the RR is found. - - name: tld - type: keyword - - name: sld - type: keyword - - name: type - type: keyword - required: true - overwrite: true - description: The type of the resource in this resource record. - - name: class - type: keyword - required: true - description: The protocol family or instance of a protocol. - - name: ttl - type: integer - required: true - description: The protocol family or instance of a protocol. - - name: rdata - type: group - description: This is a non-exhaustive list of the type and sometimes class dependent data which describes the resource. - fields: - - name: address # EUI48, EUI64 - type: keyword - - name: algorithm # CERT, SIG, RRSIG, DLV, CDS, DS, TA, SSHFP, KEY, CDNSKEY, DNSKEY, RKEY, TKEY - type: keyword - - name: altitude # GPOS, LOC - type: keyword - - name: certificate # CERT, TLSA, SMIMEA - type: keyword - - name: cpu # HINFO - type: keyword - - name: data # NULL - type: keyword - - name: digest # DLV, CDS, DS, TA, DHCID - type: keyword - - name: digest_type # DLV, CDS, DS, TA - type: integer - - name: endpoint # EID - type: keyword - - name: email # MINFO - type: keyword - - name: error # TKEY - type: keyword - - name: expiration # SIG, RRSIG, TKEY - type: integer - - name: expire # SOA - type: integer - - name: finger_print # SSHFP - type: keyword - - name: flag # CAA - type: integer - - name: flags # NAPTR, KEY, CDNSKEY, DNSKEY, RKEY, NSEC3, NSEC3PARAM, CSYNC - type: keyword - - name: gid # GID - type: integer - - name: hash # NSEC3, NSEC3PARAM - type: integer - - name: hash_length # NSEC3 - type: integer - - name: hit_length # HIP - type: integer - - name: hit # HIP - type: keyword - - name: horiz_pre # LOC - type: integer - - name: inception # SIG, RRSIG, TKEY - type: integer - - name: ip # A, AAAA, L32 - type: ip - - name: iterations # NSEC3, NSEC3PARAM - type: integer - - name: key # TKEY - type: keyword - - name: key_size # TKEY - type: integer - - name: key_tag # CERT, SIG, RRSIG, DLV, CDS, DS, TA - type: integer - - name: labels # SIG, RRSIG - type: integer - - name: latitude # GPOS, LOC - type: keyword - - name: locator # NIMLOC - type: keyword - - name: longitude # GPOS, LOC - type: keyword - - name: map822 # PX - type: keyword - - name: mapx400 # PX - type: keyword - - name: matching_type # TLSA, SMIMEA - type: integer - - name: mbox # RP, SOA - type: keyword - - name: mode # TKEY - type: integer - - name: name # KX, NSAPPTR, HIP, LP, CNAME, MX, MD, MF, MR, MG, RT, AFSDB, MB, NS, SOA, PTR, SRV, DNAME, URI, NSEC3, SIG, RRSIG, NSEC, (TALINK) - type: keyword - - name: next_name # TALINK - type: keyword - - name: node_id # NID - type: integer - - name: order # NAPTR - type: integer - - name: os # HINFO - type: keyword - - name: other_data # TKEY - type: keyword - - name: other_len # TKEY - type: integer - - name: port # SRV - type: integer - - name: preference # MX, RT, NAPTR, PX, KX, NID, L32, L64, LP - type: integer - - name: previous_name # TALINK - type: keyword - - name: priority # SRV, URI - type: integer - - name: protocol # KEY, CDNSKEY, DNSKEY, RKEY - type: integer - - name: public_key # KEY, CDNSKEY, DNSKEY, RKEY, HIP, OPENPGPKEY - type: keyword - - name: public_key_algorithm # HIP - type: keyword - - name: public_key_length # HIP - type: integer - - name: refresh # SOA - type: integer - - name: regexp # NAPTR - type: keyword - - name: replacement # NAPTR - type: keyword - - name: retry # SOA - type: integer - - name: rmail # MINFO - type: keyword - - name: salt # NSEC3, NSEC3PARAM - type: keyword - - name: salt_length # NSEC3, NSEC3PARAM - type: integer - - name: selector # TLSA, SMIMEA - type: integer - - name: serial # SOA, CSYNC - type: integer - - name: service # NAPTR - type: keyword - - name: signature # SIG, RRSIG - type: keyword - - name: size # LOC - type: integer - - name: sld - type: keyword - - name: subtype # AFSDB - type: integer - - name: tag # CAA - type: keyword - - name: tld - type: keyword - - name: ttl # SIG, RRSIG, SOA - type: integer - - name: txt # RP, TXT, SPF, X25, NINFO, UINFO - type: keyword - - name: type # CERT, SSHFP, SIG, RRSIG - type: keyword - - name: type_bit_map # NSEC, NSEC3, CSYNC - type: keyword - - name: uid # UID - type: integer - - name: usage # TLSA, SMIMEA - type: integer - - name: value # CAA - type: keyword - - name: version # LOC - type: integer - - name: vert_pre # LOC - type: integer - - name: weight # SRV, URI - type: integer