[Security Solution] UI breaks when you display the details of an IM alert with a match that happens several times

MadameSheema commented 2 years ago

Describe the bug:

UI breaks when you display the details of an IM alert with a match that happens several times

Kibana/Elasticsearch Stack version:

8.4.0 (bcbef78b4dfaebe40f334fcaa5cef94fda9acc29)

Initial setup:

To have an IM alert that has matched several times the same value

Steps to reproduce:

Navigate to alerts table
Expand the details of the alert
Scroll to the Threat Matched Detected section

Current behavior:

Just one match appears and a big empty space is displayed. Even you can continue scrolling down and the empty space will continue.

Expected behavior:

This is the same behavior on 8.3.x.
All the matches should appear

elasticmachine commented 2 years ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine commented 2 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)

rylnd commented 2 years ago

This is the same behavior on 8.3.x.

~~@MadameSheema does this mean that the bug also exists in 8.3.x, or that the behavior is correct in 8.3.x?~~

Edit: I see the working rule is named "IM 8.3"; I'm assuming that means the latter. Please let me know if that's incorrect.

rylnd commented 2 years ago

@MadameSheema are there any errors to be seen? In the JS console or elsewhere? Can you share the full alert JSON for both working and non-working cases? If they're identical, mappings would also be useful.

MadameSheema commented 2 years ago

@rylnd I was meaning that the behavior is correct on 8.3.3 since we are displaying on the alert details flyout all the matches, but on 8.4.0 is not like that.

Right now I'm doing the following, creating an IM alert on 8.3.3 and then upgrade to 8.4.0 so we can have the same alert on both versions.

8.3.3-working scenario:

Alert details flyout

Full alert JSON

```json { "_index": ".internal.alerts-security.alerts-default-000001", "_id": "2d360f59625bed7f0d3ed078bd760655a1b15123aedf79d346535c11dbd8fb23", "_score": 1, "_source": { "kibana.version": "8.3.3", "kibana.alert.rule.category": "Indicator Match Rule", "kibana.alert.rule.consumer": "siem", "kibana.alert.rule.execution.uuid": "3342e967-1539-4a59-87c5-50fae1aab560", "kibana.alert.rule.name": "test", "kibana.alert.rule.producer": "siem", "kibana.alert.rule.rule_type_id": "siem.indicatorRule", "kibana.alert.rule.uuid": "d59e2c00-0f1b-11ed-afce-3b3631753197", "kibana.space_ids": [ "default" ], "kibana.alert.rule.tags": [], "@timestamp": "2022-07-29T08:59:19.547Z", "ecs": { "version": "8.0.0" }, "host": { "name": "MacBook-Pro-de-Gloria.local", "architecture": "x86_64", "os": { "build": "21F79", "type": "macos", "platform": "darwin", "version": "12.4", "family": "darwin", "name": "macOS", "kernel": "21.5.0" }, "id": "55426D64-79AB-547C-81DA-440AB8F5DDD2", "ip": [ "fe80::aede:48ff:fe00:1122", "fe80::10ff:64f8:b4bc:2329", "192.168.5.172", "fe80::3c76:cff:fe03:1f17", "fe80::3c76:cff:fe03:1f17", "fe80::df83:a87a:a769:c7b1", "fe80::dcc4:e5ef:c40e:47ee", "fe80::ce81:b1c:bd2c:69e", "fe80::a3ad:7f35:30a0:7ae7", "fe80::98d2:a278:a3af:d440", "fe80::1cef:13da:47cb:27db", "fe80::4d47:f87a:ebd6:ff29" ], "mac": [ "3e:76:0c:03:1f:17", "82:70:c6:c2:3c:00", "82:70:c6:c2:3c:01", "82:70:c6:c2:3c:04", "82:70:c6:c2:3c:05", "a4:83:e7:ae:5a:b6", "a6:83:e7:ae:5a:b6", "ac:de:48:00:11:22" ], "hostname": "MacBook-Pro-de-Gloria.local" }, "agent": { "id": "8750629e-a4af-45a9-98fe-ccd5e4a861fa", "name": "MacBook-Pro-de-Gloria.local", "type": "auditbeat", "version": "8.3.2", "ephemeral_id": "dadb8574-0b2d-4904-bfc0-70ada5424469", "hostname": "MacBook-Pro-de-Gloria.local" }, "service": { "type": "system" }, "system": { "audit": { "package": { "installtime": "2021-07-01T08:50:45.051Z", "summary": "Image processing and image analysis library", "url": "http://www.leptonica.org/", "entity_id": "D8So5r6nJlRQmEda", "name": "leptonica", "version": "1.81.1" } } }, "package": { "name": "leptonica", "version": "1.81.1", "installed": "2021-07-01T08:50:45.051Z", "description": "Image processing and image analysis library", "reference": "http://www.leptonica.org/", "type": "brew" }, "message": "Package leptonica (1.81.1) is already installed", "threat": { "enrichments": [ { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.name", "id": "FFEtSYIBZ61VHL7LvV2j", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.hostname", "id": "E1EtSYIBZ61VHL7Ltl3m", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "x86_64", "field": "host.architecture", "id": "E1EtSYIBZ61VHL7Ltl3m", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.name", "id": "E1EtSYIBZ61VHL7Ltl3m", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.hostname", "id": "CFErSYIBZ61VHL7LIV1N", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.name", "id": "omInSYIBTdNg2EzzgtoB", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.hostname", "id": "omInSYIBTdNg2EzzgtoB", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "x86_64", "field": "host.architecture", "id": "tWItSYIBTdNg2Ezzs9pE", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.name", "id": "tWItSYIBTdNg2Ezzs9pE", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.hostname", "id": "tWItSYIBTdNg2Ezzs9pE", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "x86_64", "field": "host.architecture", "id": "FFEtSYIBZ61VHL7LvV2j", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.name", "id": "CFErSYIBZ61VHL7LIV1N", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "x86_64", "field": "host.architecture", "id": "CFErSYIBZ61VHL7LIV1N", "index": "im", "type": "indicator_match_rule" } }, { "indicator": {}, "feed": {}, "matched": { "atomic": "MacBook-Pro-de-Gloria.local", "field": "host.hostname", "id": "FFEtSYIBZ61VHL7LvV2j", "index": "im", "type": "indicator_match_rule" } } ] }, "event.category": [ "package" ], "event.type": [ "info" ], "event.action": "existing_package", "event.id": "16a69c82-3df1-48c1-b1c0-e47d9bf79b28", "event.module": "system", "event.dataset": "package", "event.kind": "signal", "kibana.alert.original_time": "2022-07-29T08:43:47.832Z", "kibana.alert.ancestors": [ { "id": "WlEgSYIBZ61VHL7LSlxa", "type": "event", "index": ".ds-auditbeat-8.3.2-2022.07.29-000001", "depth": 0 } ], "kibana.alert.status": "active", "kibana.alert.workflow_status": "open", "kibana.alert.depth": 1, "kibana.alert.reason": "package event on MacBook-Pro-de-Gloria.local created low alert test.", "kibana.alert.severity": "low", "kibana.alert.risk_score": 21, "kibana.alert.rule.parameters": { "description": "descr", "risk_score": 21, "severity": "low", "license": "", "meta": { "from": "48h", "kibana_siem_app_url": "https://im.kb.europe-west1.gcp.cloud.es.io:9243/app/security" }, "author": [], "false_positives": [], "from": "now-176400s", "rule_id": "79aa78b0-efaa-41b4-9142-d5def5f961f8", "max_signals": 100, "risk_score_mapping": [], "severity_mapping": [], "threat": [], "to": "now", "references": [], "version": 4, "exceptions_list": [], "immutable": false, "related_integrations": [], "required_fields": [], "setup": "", "type": "threat_match", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [], "threat_filters": [], "threat_query": "@timestamp >= \"now-30d/d\"", "threat_mapping": [ { "entries": [ { "field": "host.name", "type": "mapping", "value": "indicator1" }, { "field": "host.architecture", "type": "mapping", "value": "indicator2" }, { "field": "host.hostname", "type": "mapping", "value": "indicator3" } ] } ], "threat_language": "kuery", "threat_index": [ "im" ], "threat_indicator_path": "threat.indicator" }, "kibana.alert.rule.actions": [], "kibana.alert.rule.author": [], "kibana.alert.rule.created_at": "2022-07-29T08:52:55.050Z", "kibana.alert.rule.created_by": "2448431502", "kibana.alert.rule.description": "descr", "kibana.alert.rule.enabled": true, "kibana.alert.rule.exceptions_list": [], "kibana.alert.rule.false_positives": [], "kibana.alert.rule.from": "now-176400s", "kibana.alert.rule.immutable": false, "kibana.alert.rule.interval": "1h", "kibana.alert.rule.license": "", "kibana.alert.rule.max_signals": 100, "kibana.alert.rule.references": [], "kibana.alert.rule.risk_score_mapping": [], "kibana.alert.rule.rule_id": "79aa78b0-efaa-41b4-9142-d5def5f961f8", "kibana.alert.rule.severity_mapping": [], "kibana.alert.rule.threat": [], "kibana.alert.rule.to": "now", "kibana.alert.rule.type": "threat_match", "kibana.alert.rule.updated_at": "2022-07-29T08:59:13.930Z", "kibana.alert.rule.updated_by": "2448431502", "kibana.alert.rule.version": 4, "kibana.alert.rule.meta.from": "48h", "kibana.alert.rule.meta.kibana_siem_app_url": "https://im.kb.europe-west1.gcp.cloud.es.io:9243/app/security", "kibana.alert.rule.risk_score": 21, "kibana.alert.rule.severity": "low", "kibana.alert.original_event.category": [ "package" ], "kibana.alert.original_event.type": [ "info" ], "kibana.alert.original_event.action": "existing_package", "kibana.alert.original_event.id": "16a69c82-3df1-48c1-b1c0-e47d9bf79b28", "kibana.alert.original_event.module": "system", "kibana.alert.original_event.dataset": "package", "kibana.alert.original_event.kind": "state", "kibana.alert.uuid": "2d360f59625bed7f0d3ed078bd760655a1b15123aedf79d346535c11dbd8fb23" }, "fields": { "kibana.alert.severity": [ "low" ], "system.audit.package.name": [ "leptonica" ], "kibana.alert.rule.updated_by": [ "2448431502" ], "signal.ancestors.depth": [ 0 ], "event.category": [ "package" ], "host.hostname": [ "MacBook-Pro-de-Gloria.local" ], "system.audit.package.url": [ "http://www.leptonica.org/" ], "host.mac": [ "3e:76:0c:03:1f:17", "82:70:c6:c2:3c:00", "82:70:c6:c2:3c:01", "82:70:c6:c2:3c:04", "82:70:c6:c2:3c:05", "a4:83:e7:ae:5a:b6", "a6:83:e7:ae:5a:b6", "ac:de:48:00:11:22" ], "service.type": [ "system" ], "system.audit.package.version": [ "1.81.1" ], "kibana.alert.ancestors.depth": [ 0 ], "signal.rule.enabled": [ "true" ], "signal.rule.max_signals": [ 100 ], "host.os.version": [ "12.4" ], "signal.rule.updated_at": [ "2022-07-29T08:59:13.930Z" ], "kibana.alert.risk_score": [ 21 ], "agent.name": [ "MacBook-Pro-de-Gloria.local" ], "kibana.alert.original_event.id": [ "16a69c82-3df1-48c1-b1c0-e47d9bf79b28" ], "host.os.type": [ "macos" ], "kibana.alert.original_event.module": [ "system" ], "package.reference": [ "http://www.leptonica.org/" ], "kibana.alert.rule.interval": [ "1h" ], "kibana.alert.rule.type": [ "threat_match" ], "agent.hostname": [ "MacBook-Pro-de-Gloria.local" ], "host.architecture": [ "x86_64" ], "kibana.alert.rule.immutable": [ "false" ], "kibana.alert.original_event.type": [ "info" ], "agent.id": [ "8750629e-a4af-45a9-98fe-ccd5e4a861fa" ], "signal.original_event.module": [ "system" ], "signal.rule.from": [ "now-176400s" ], "kibana.alert.rule.enabled": [ "true" ], "kibana.alert.rule.version": [ "4" ], "kibana.alert.ancestors.type": [ "event" ], "signal.ancestors.index": [ ".ds-auditbeat-8.3.2-2022.07.29-000001" ], "host.ip": [ "fe80::aede:48ff:fe00:1122", "fe80::10ff:64f8:b4bc:2329", "192.168.5.172", "fe80::3c76:cff:fe03:1f17", "fe80::3c76:cff:fe03:1f17", "fe80::df83:a87a:a769:c7b1", "fe80::dcc4:e5ef:c40e:47ee", "fe80::ce81:b1c:bd2c:69e", "fe80::a3ad:7f35:30a0:7ae7", "fe80::98d2:a278:a3af:d440", "fe80::1cef:13da:47cb:27db", "fe80::4d47:f87a:ebd6:ff29" ], "agent.type": [ "auditbeat" ], "signal.original_event.category": [ "package" ], "signal.original_event.id": [ "16a69c82-3df1-48c1-b1c0-e47d9bf79b28" ], "threat.enrichments": [ { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "FFEtSYIBZ61VHL7LvV2j" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "E1EtSYIBZ61VHL7Ltl3m" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.architecture" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "E1EtSYIBZ61VHL7Ltl3m" ], "matched.atomic": [ "x86_64" ] }, { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "E1EtSYIBZ61VHL7Ltl3m" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "CFErSYIBZ61VHL7LIV1N" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "omInSYIBTdNg2EzzgtoB" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "omInSYIBTdNg2EzzgtoB" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.architecture" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "tWItSYIBTdNg2Ezzs9pE" ], "matched.atomic": [ "x86_64" ] }, { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "tWItSYIBTdNg2Ezzs9pE" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "tWItSYIBTdNg2Ezzs9pE" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.architecture" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "FFEtSYIBZ61VHL7LvV2j" ], "matched.atomic": [ "x86_64" ] }, { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "CFErSYIBZ61VHL7LIV1N" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.architecture" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "CFErSYIBZ61VHL7LIV1N" ], "matched.atomic": [ "x86_64" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "FFEtSYIBZ61VHL7LvV2j" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] } ], "package.name": [ "leptonica" ], "host.id": [ "55426D64-79AB-547C-81DA-440AB8F5DDD2" ], "signal.original_event.type": [ "info" ], "kibana.alert.rule.max_signals": [ 100 ], "kibana.alert.rule.risk_score": [ 21 ], "signal.original_event.dataset": [ "package" ], "kibana.alert.rule.consumer": [ "siem" ], "kibana.alert.rule.category": [ "Indicator Match Rule" ], "event.action": [ "existing_package" ], "@timestamp": [ "2022-07-29T08:59:19.547Z" ], "signal.rule.updated_by": [ "2448431502" ], "kibana.alert.original_event.action": [ "existing_package" ], "host.os.platform": [ "darwin" ], "kibana.alert.rule.severity": [ "low" ], "agent.ephemeral_id": [ "dadb8574-0b2d-4904-bfc0-70ada5424469" ], "kibana.alert.rule.execution.uuid": [ "3342e967-1539-4a59-87c5-50fae1aab560" ], "kibana.alert.uuid": [ "2d360f59625bed7f0d3ed078bd760655a1b15123aedf79d346535c11dbd8fb23" ], "kibana.alert.rule.meta.kibana_siem_app_url": [ "https://im.kb.europe-west1.gcp.cloud.es.io:9243/app/security" ], "kibana.version": [ "8.3.3" ], "event.id": [ "16a69c82-3df1-48c1-b1c0-e47d9bf79b28" ], "signal.rule.license": [ "" ], "signal.ancestors.type": [ "event" ], "kibana.alert.rule.rule_id": [ "79aa78b0-efaa-41b4-9142-d5def5f961f8" ], "signal.rule.type": [ "threat_match" ], "kibana.alert.ancestors.id": [ "WlEgSYIBZ61VHL7LSlxa" ], "kibana.alert.rule.description": [ "descr" ], "system.audit.package.summary": [ "Image processing and image analysis library" ], "kibana.alert.rule.producer": [ "siem" ], "signal.rule.created_by": [ "2448431502" ], "kibana.alert.rule.to": [ "now" ], "signal.rule.interval": [ "1h" ], "package.type": [ "brew" ], "kibana.alert.rule.created_by": [ "2448431502" ], "signal.rule.id": [ "d59e2c00-0f1b-11ed-afce-3b3631753197" ], "signal.rule.risk_score": [ 21 ], "signal.reason": [ "package event on MacBook-Pro-de-Gloria.local created low alert test." ], "host.os.name": [ "macOS" ], "kibana.alert.rule.name": [ "test" ], "host.name": [ "MacBook-Pro-de-Gloria.local" ], "signal.status": [ "open" ], "event.kind": [ "signal" ], "signal.rule.created_at": [ "2022-07-29T08:52:55.050Z" ], "package.version": [ "1.81.1" ], "kibana.alert.workflow_status": [ "open" ], "kibana.alert.rule.uuid": [ "d59e2c00-0f1b-11ed-afce-3b3631753197" ], "kibana.alert.original_event.category": [ "package" ], "kibana.alert.reason": [ "package event on MacBook-Pro-de-Gloria.local created low alert test." ], "signal.original_time": [ "2022-07-29T08:43:47.832Z" ], "signal.ancestors.id": [ "WlEgSYIBZ61VHL7LSlxa" ], "system.audit.package.entity_id": [ "D8So5r6nJlRQmEda" ], "ecs.version": [ "8.0.0" ], "signal.rule.severity": [ "low" ], "kibana.alert.ancestors.index": [ ".ds-auditbeat-8.3.2-2022.07.29-000001" ], "package.installed": [ "2021-07-01T08:50:45.051Z" ], "agent.version": [ "8.3.2" ], "kibana.alert.depth": [ 1 ], "host.os.family": [ "darwin" ], "kibana.alert.rule.from": [ "now-176400s" ], "kibana.alert.rule.parameters": [ { "severity_mapping": [], "references": [], "threat_language": "kuery", "description": "descr", "language": "kuery", "threat_mapping": [ { "entries": [ { "field": "host.name", "type": "mapping", "value": "indicator1" }, { "field": "host.architecture", "type": "mapping", "value": "indicator2" }, { "field": "host.hostname", "type": "mapping", "value": "indicator3" } ] } ], "type": "threat_match", "threat_filters": [], "exceptions_list": [], "from": "now-176400s", "severity": "low", "max_signals": 100, "risk_score": 21, "risk_score_mapping": [], "author": [], "threat_indicator_path": "threat.indicator", "query": "*:*", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "filters": [], "version": 4, "threat_query": "@timestamp >= \"now-30d/d\"", "rule_id": "79aa78b0-efaa-41b4-9142-d5def5f961f8", "license": "", "required_fields": [], "immutable": false, "related_integrations": [], "threat_index": [ "im" ], "meta": { "from": "48h", "kibana_siem_app_url": "https://im.kb.europe-west1.gcp.cloud.es.io:9243/app/security" }, "setup": "", "false_positives": [], "threat": [], "to": "now" } ], "signal.rule.version": [ "4" ], "signal.original_event.kind": [ "state" ], "system.audit.package.installtime": [ "2021-07-01T08:50:45.051Z" ], "kibana.alert.status": [ "active" ], "kibana.alert.original_event.dataset": [ "package" ], "signal.depth": [ 1 ], "signal.rule.immutable": [ "false" ], "host.os.build": [ "21F79" ], "kibana.alert.rule.rule_type_id": [ "siem.indicatorRule" ], "signal.rule.name": [ "test" ], "event.module": [ "system" ], "signal.rule.rule_id": [ "79aa78b0-efaa-41b4-9142-d5def5f961f8" ], "host.os.kernel": [ "21.5.0" ], "kibana.alert.rule.license": [ "" ], "kibana.alert.original_event.kind": [ "state" ], "signal.rule.description": [ "descr" ], "kibana.alert.rule.updated_at": [ "2022-07-29T08:59:13.930Z" ], "message": [ "Package leptonica (1.81.1) is already installed" ], "signal.original_event.action": [ "existing_package" ], "signal.rule.to": [ "now" ], "kibana.alert.rule.created_at": [ "2022-07-29T08:52:55.050Z" ], "event.type": [ "info" ], "package.description": [ "Image processing and image analysis library" ], "kibana.space_ids": [ "default" ], "kibana.alert.rule.meta.from": [ "48h" ], "event.dataset": [ "package" ], "kibana.alert.original_time": [ "2022-07-29T08:43:47.832Z" ] } } ```

Alert mapping

```json { ".internal.alerts-security.alerts-default-000001": { "mappings": { "dynamic": "false", "_meta": { "namespace": "default", "kibana": { "version": "8.3.3" } }, "properties": { "@timestamp": { "type": "date" }, "agent": { "properties": { "build": { "properties": { "original": { "type": "keyword" } } }, "ephemeral_id": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "client": { "properties": { "address": { "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "user": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "cloud": { "properties": { "account": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "availability_zone": { "type": "keyword" }, "instance": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "machine": { "properties": { "type": { "type": "keyword" } } }, "origin": { "properties": { "account": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "availability_zone": { "type": "keyword" }, "instance": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "machine": { "properties": { "type": { "type": "keyword" } } }, "project": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "provider": { "type": "keyword" }, "region": { "type": "keyword" }, "service": { "properties": { "name": { "type": "keyword" } } } } }, "project": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "provider": { "type": "keyword" }, "region": { "type": "keyword" }, "service": { "properties": { "name": { "type": "keyword" } } }, "target": { "properties": { "account": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "availability_zone": { "type": "keyword" }, "instance": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "machine": { "properties": { "type": { "type": "keyword" } } }, "project": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "provider": { "type": "keyword" }, "region": { "type": "keyword" }, "service": { "properties": { "name": { "type": "keyword" } } } } } } }, "container": { "properties": { "id": { "type": "keyword" }, "image": { "properties": { "name": { "type": "keyword" }, "tag": { "type": "keyword" } } }, "labels": { "type": "object" }, "name": { "type": "keyword" }, "runtime": { "type": "keyword" } } }, "destination": { "properties": { "address": { "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "user": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "dll": { "properties": { "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "name": { "type": "keyword" }, "path": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } } } }, "dns": { "properties": { "answers": { "properties": { "class": { "type": "keyword" }, "data": { "type": "keyword" }, "name": { "type": "keyword" }, "ttl": { "type": "long" }, "type": { "type": "keyword" } } }, "header_flags": { "type": "keyword" }, "id": { "type": "keyword" }, "op_code": { "type": "keyword" }, "question": { "properties": { "class": { "type": "keyword" }, "name": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "type": { "type": "keyword" } } }, "resolved_ip": { "type": "ip" }, "response_code": { "type": "keyword" }, "type": { "type": "keyword" } } }, "ecs": { "properties": { "version": { "type": "keyword" } } }, "error": { "properties": { "code": { "type": "keyword" }, "id": { "type": "keyword" }, "message": { "type": "match_only_text" }, "stack_trace": { "type": "wildcard" }, "type": { "type": "keyword" } } }, "event": { "properties": { "action": { "type": "keyword" }, "agent_id_status": { "type": "keyword" }, "category": { "type": "keyword" }, "code": { "type": "keyword" }, "created": { "type": "date" }, "dataset": { "type": "keyword" }, "duration": { "type": "long" }, "end": { "type": "date" }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "ingested": { "type": "date" }, "kind": { "type": "keyword" }, "module": { "type": "keyword" }, "original": { "type": "keyword" }, "outcome": { "type": "keyword" }, "provider": { "type": "keyword" }, "reason": { "type": "keyword" }, "reference": { "type": "keyword" }, "risk_score": { "type": "float" }, "risk_score_norm": { "type": "float" }, "sequence": { "type": "long" }, "severity": { "type": "long" }, "start": { "type": "date" }, "timezone": { "type": "keyword" }, "type": { "type": "keyword" }, "url": { "type": "keyword" } } }, "faas": { "properties": { "coldstart": { "type": "boolean" }, "execution": { "type": "keyword" }, "trigger": { "type": "nested", "properties": { "request_id": { "type": "keyword" }, "type": { "type": "keyword" } } } } }, "file": { "properties": { "accessed": { "type": "date" }, "attributes": { "type": "keyword" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "created": { "type": "date" }, "ctime": { "type": "date" }, "device": { "type": "keyword" }, "directory": { "type": "keyword" }, "drive_letter": { "type": "keyword" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "extension": { "type": "keyword" }, "fork_name": { "type": "keyword" }, "gid": { "type": "keyword" }, "group": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "inode": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "mode": { "type": "keyword" }, "mtime": { "type": "date" }, "name": { "type": "keyword" }, "owner": { "type": "keyword" }, "path": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "size": { "type": "long" }, "target_path": { "type": "keyword" }, "type": { "type": "keyword" }, "uid": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "host": { "properties": { "architecture": { "type": "keyword" }, "cpu": { "properties": { "usage": { "type": "scaled_float", "scaling_factor": 1000 } } }, "disk": { "properties": { "read": { "properties": { "bytes": { "type": "long" } } }, "write": { "properties": { "bytes": { "type": "long" } } } } }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "hostname": { "type": "keyword" }, "id": { "type": "keyword" }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "name": { "type": "keyword" }, "network": { "properties": { "egress": { "properties": { "bytes": { "type": "long" }, "packets": { "type": "long" } } }, "ingress": { "properties": { "bytes": { "type": "long" }, "packets": { "type": "long" } } } } }, "os": { "properties": { "family": { "type": "keyword" }, "full": { "type": "keyword" }, "kernel": { "type": "keyword" }, "name": { "type": "keyword" }, "platform": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "type": { "type": "keyword" }, "uptime": { "type": "long" } } }, "http": { "properties": { "request": { "properties": { "body": { "properties": { "bytes": { "type": "long" }, "content": { "type": "wildcard" } } }, "bytes": { "type": "long" }, "id": { "type": "keyword" }, "method": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "referrer": { "type": "keyword" } } }, "response": { "properties": { "body": { "properties": { "bytes": { "type": "long" }, "content": { "type": "wildcard" } } }, "bytes": { "type": "long" }, "mime_type": { "type": "keyword" }, "status_code": { "type": "long" } } }, "version": { "type": "keyword" } } }, "kibana": { "properties": { "alert": { "properties": { "action_group": { "type": "keyword" }, "ancestors": { "properties": { "depth": { "type": "long" }, "id": { "type": "keyword" }, "index": { "type": "keyword" }, "rule": { "type": "keyword" }, "type": { "type": "keyword" } } }, "building_block_type": { "type": "keyword" }, "depth": { "type": "long" }, "duration": { "properties": { "us": { "type": "long" } } }, "end": { "type": "date" }, "group": { "properties": { "id": { "type": "keyword" }, "index": { "type": "integer" } } }, "original_event": { "properties": { "action": { "type": "keyword" }, "agent_id_status": { "type": "keyword" }, "category": { "type": "keyword" }, "code": { "type": "keyword" }, "created": { "type": "date" }, "dataset": { "type": "keyword" }, "duration": { "type": "keyword" }, "end": { "type": "date" }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "ingested": { "type": "date" }, "kind": { "type": "keyword" }, "module": { "type": "keyword" }, "original": { "type": "keyword" }, "outcome": { "type": "keyword" }, "provider": { "type": "keyword" }, "reason": { "type": "keyword" }, "reference": { "type": "keyword" }, "risk_score": { "type": "float" }, "risk_score_norm": { "type": "float" }, "sequence": { "type": "long" }, "severity": { "type": "long" }, "start": { "type": "date" }, "timezone": { "type": "keyword" }, "type": { "type": "keyword" }, "url": { "type": "keyword" } } }, "original_time": { "type": "date" }, "reason": { "type": "keyword" }, "risk_score": { "type": "float" }, "rule": { "properties": { "author": { "type": "keyword" }, "building_block_type": { "type": "keyword" }, "category": { "type": "keyword" }, "consumer": { "type": "keyword" }, "created_at": { "type": "date" }, "created_by": { "type": "keyword" }, "description": { "type": "keyword" }, "enabled": { "type": "keyword" }, "exceptions_list": { "type": "object" }, "execution": { "properties": { "uuid": { "type": "keyword" } } }, "false_positives": { "type": "keyword" }, "from": { "type": "keyword" }, "immutable": { "type": "keyword" }, "interval": { "type": "keyword" }, "license": { "type": "keyword" }, "max_signals": { "type": "long" }, "name": { "type": "keyword" }, "note": { "type": "keyword" }, "parameters": { "type": "flattened", "ignore_above": 4096 }, "producer": { "type": "keyword" }, "references": { "type": "keyword" }, "rule_id": { "type": "keyword" }, "rule_name_override": { "type": "keyword" }, "rule_type_id": { "type": "keyword" }, "tags": { "type": "keyword" }, "threat": { "properties": { "framework": { "type": "keyword" }, "tactic": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } }, "technique": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" }, "subtechnique": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } } } } } }, "timeline_id": { "type": "keyword" }, "timeline_title": { "type": "keyword" }, "timestamp_override": { "type": "keyword" }, "to": { "type": "keyword" }, "type": { "type": "keyword" }, "updated_at": { "type": "date" }, "updated_by": { "type": "keyword" }, "uuid": { "type": "keyword" }, "version": { "type": "keyword" } } }, "severity": { "type": "keyword" }, "start": { "type": "date" }, "status": { "type": "keyword" }, "system_status": { "type": "keyword" }, "threshold_result": { "properties": { "cardinality": { "properties": { "field": { "type": "keyword" }, "value": { "type": "long" } } }, "count": { "type": "long" }, "from": { "type": "date" }, "terms": { "properties": { "field": { "type": "keyword" }, "value": { "type": "keyword" } } } } }, "uuid": { "type": "keyword" }, "workflow_reason": { "type": "keyword" }, "workflow_status": { "type": "keyword" }, "workflow_user": { "type": "keyword" } } }, "space_ids": { "type": "keyword" }, "version": { "type": "version" } } }, "labels": { "type": "object" }, "log": { "properties": { "file": { "properties": { "path": { "type": "keyword" } } }, "level": { "type": "keyword" }, "logger": { "type": "keyword" }, "origin": { "properties": { "file": { "properties": { "line": { "type": "long" }, "name": { "type": "keyword" } } }, "function": { "type": "keyword" } } }, "syslog": { "properties": { "facility": { "properties": { "code": { "type": "long" }, "name": { "type": "keyword" } } }, "priority": { "type": "long" }, "severity": { "properties": { "code": { "type": "long" }, "name": { "type": "keyword" } } } } } } }, "message": { "type": "match_only_text" }, "network": { "properties": { "application": { "type": "keyword" }, "bytes": { "type": "long" }, "community_id": { "type": "keyword" }, "direction": { "type": "keyword" }, "forwarded_ip": { "type": "ip" }, "iana_number": { "type": "keyword" }, "inner": { "properties": { "vlan": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } } } }, "name": { "type": "keyword" }, "packets": { "type": "long" }, "protocol": { "type": "keyword" }, "transport": { "type": "keyword" }, "type": { "type": "keyword" }, "vlan": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } } } }, "observer": { "properties": { "egress": { "properties": { "interface": { "properties": { "alias": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "vlan": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "zone": { "type": "keyword" } } }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "hostname": { "type": "keyword" }, "ingress": { "properties": { "interface": { "properties": { "alias": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "vlan": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "zone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "name": { "type": "keyword" }, "os": { "properties": { "family": { "type": "keyword" }, "full": { "type": "keyword" }, "kernel": { "type": "keyword" }, "name": { "type": "keyword" }, "platform": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "product": { "type": "keyword" }, "serial_number": { "type": "keyword" }, "type": { "type": "keyword" }, "vendor": { "type": "keyword" }, "version": { "type": "keyword" } } }, "orchestrator": { "properties": { "api_version": { "type": "keyword" }, "cluster": { "properties": { "name": { "type": "keyword" }, "url": { "type": "keyword" }, "version": { "type": "keyword" } } }, "namespace": { "type": "keyword" }, "organization": { "type": "keyword" }, "resource": { "properties": { "name": { "type": "keyword" }, "type": { "type": "keyword" } } }, "type": { "type": "keyword" } } }, "organization": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "package": { "properties": { "architecture": { "type": "keyword" }, "build_version": { "type": "keyword" }, "checksum": { "type": "keyword" }, "description": { "type": "keyword" }, "install_scope": { "type": "keyword" }, "installed": { "type": "date" }, "license": { "type": "keyword" }, "name": { "type": "keyword" }, "path": { "type": "keyword" }, "reference": { "type": "keyword" }, "size": { "type": "long" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "process": { "properties": { "args": { "type": "keyword" }, "args_count": { "type": "long" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "command_line": { "type": "wildcard" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "end": { "type": "date" }, "entity_id": { "type": "keyword" }, "entry_leader": { "properties": { "entity_id": { "type": "keyword" } } }, "executable": { "type": "keyword" }, "exit_code": { "type": "long" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "name": { "type": "keyword" }, "parent": { "properties": { "args": { "type": "keyword" }, "args_count": { "type": "long" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "command_line": { "type": "wildcard" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "end": { "type": "date" }, "entity_id": { "type": "keyword" }, "executable": { "type": "keyword" }, "exit_code": { "type": "long" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "name": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "pgid": { "type": "long" }, "pid": { "type": "long" }, "start": { "type": "date" }, "thread": { "properties": { "id": { "type": "long" }, "name": { "type": "keyword" } } }, "title": { "type": "keyword" }, "uptime": { "type": "long" }, "working_directory": { "type": "keyword" } } }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "pgid": { "type": "long" }, "pid": { "type": "long" }, "session_leader": { "properties": { "entity_id": { "type": "keyword" } } }, "start": { "type": "date" }, "thread": { "properties": { "id": { "type": "long" }, "name": { "type": "keyword" } } }, "title": { "type": "keyword" }, "uptime": { "type": "long" }, "working_directory": { "type": "keyword" } } }, "registry": { "properties": { "data": { "properties": { "bytes": { "type": "keyword" }, "strings": { "type": "wildcard" }, "type": { "type": "keyword" } } }, "hive": { "type": "keyword" }, "key": { "type": "keyword" }, "path": { "type": "keyword" }, "value": { "type": "keyword" } } }, "related": { "properties": { "hash": { "type": "keyword" }, "hosts": { "type": "keyword" }, "ip": { "type": "ip" }, "user": { "type": "keyword" } } }, "rule": { "properties": { "author": { "type": "keyword" }, "category": { "type": "keyword" }, "description": { "type": "keyword" }, "id": { "type": "keyword" }, "license": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" }, "ruleset": { "type": "keyword" }, "uuid": { "type": "keyword" }, "version": { "type": "keyword" } } }, "server": { "properties": { "address": { "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "user": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "service": { "properties": { "address": { "type": "keyword" }, "environment": { "type": "keyword" }, "ephemeral_id": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "node": { "properties": { "name": { "type": "keyword" } } }, "origin": { "properties": { "address": { "type": "keyword" }, "environment": { "type": "keyword" }, "ephemeral_id": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "node": { "properties": { "name": { "type": "keyword" } } }, "state": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "state": { "type": "keyword" }, "target": { "properties": { "address": { "type": "keyword" }, "environment": { "type": "keyword" }, "ephemeral_id": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "node": { "properties": { "name": { "type": "keyword" } } }, "state": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "signal": { "properties": { "ancestors": { "properties": { "depth": { "type": "alias", "path": "kibana.alert.ancestors.depth" }, "id": { "type": "alias", "path": "kibana.alert.ancestors.id" }, "index": { "type": "alias", "path": "kibana.alert.ancestors.index" }, "type": { "type": "alias", "path": "kibana.alert.ancestors.type" } } }, "depth": { "type": "alias", "path": "kibana.alert.depth" }, "group": { "properties": { "id": { "type": "alias", "path": "kibana.alert.group.id" }, "index": { "type": "alias", "path": "kibana.alert.group.index" } } }, "original_event": { "properties": { "action": { "type": "alias", "path": "kibana.alert.original_event.action" }, "category": { "type": "alias", "path": "kibana.alert.original_event.category" }, "code": { "type": "alias", "path": "kibana.alert.original_event.code" }, "created": { "type": "alias", "path": "kibana.alert.original_event.created" }, "dataset": { "type": "alias", "path": "kibana.alert.original_event.dataset" }, "duration": { "type": "alias", "path": "kibana.alert.original_event.duration" }, "end": { "type": "alias", "path": "kibana.alert.original_event.end" }, "hash": { "type": "alias", "path": "kibana.alert.original_event.hash" }, "id": { "type": "alias", "path": "kibana.alert.original_event.id" }, "kind": { "type": "alias", "path": "kibana.alert.original_event.kind" }, "module": { "type": "alias", "path": "kibana.alert.original_event.module" }, "outcome": { "type": "alias", "path": "kibana.alert.original_event.outcome" }, "provider": { "type": "alias", "path": "kibana.alert.original_event.provider" }, "reason": { "type": "alias", "path": "kibana.alert.original_event.reason" }, "risk_score": { "type": "alias", "path": "kibana.alert.original_event.risk_score" }, "risk_score_norm": { "type": "alias", "path": "kibana.alert.original_event.risk_score_norm" }, "sequence": { "type": "alias", "path": "kibana.alert.original_event.sequence" }, "severity": { "type": "alias", "path": "kibana.alert.original_event.severity" }, "start": { "type": "alias", "path": "kibana.alert.original_event.start" }, "timezone": { "type": "alias", "path": "kibana.alert.original_event.timezone" }, "type": { "type": "alias", "path": "kibana.alert.original_event.type" } } }, "original_time": { "type": "alias", "path": "kibana.alert.original_time" }, "reason": { "type": "alias", "path": "kibana.alert.reason" }, "rule": { "properties": { "author": { "type": "alias", "path": "kibana.alert.rule.author" }, "building_block_type": { "type": "alias", "path": "kibana.alert.building_block_type" }, "created_at": { "type": "alias", "path": "kibana.alert.rule.created_at" }, "created_by": { "type": "alias", "path": "kibana.alert.rule.created_by" }, "description": { "type": "alias", "path": "kibana.alert.rule.description" }, "enabled": { "type": "alias", "path": "kibana.alert.rule.enabled" }, "false_positives": { "type": "alias", "path": "kibana.alert.rule.false_positives" }, "from": { "type": "alias", "path": "kibana.alert.rule.from" }, "id": { "type": "alias", "path": "kibana.alert.rule.uuid" }, "immutable": { "type": "alias", "path": "kibana.alert.rule.immutable" }, "interval": { "type": "alias", "path": "kibana.alert.rule.interval" }, "license": { "type": "alias", "path": "kibana.alert.rule.license" }, "max_signals": { "type": "alias", "path": "kibana.alert.rule.max_signals" }, "name": { "type": "alias", "path": "kibana.alert.rule.name" }, "note": { "type": "alias", "path": "kibana.alert.rule.note" }, "references": { "type": "alias", "path": "kibana.alert.rule.references" }, "risk_score": { "type": "alias", "path": "kibana.alert.risk_score" }, "rule_id": { "type": "alias", "path": "kibana.alert.rule.rule_id" }, "rule_name_override": { "type": "alias", "path": "kibana.alert.rule.rule_name_override" }, "severity": { "type": "alias", "path": "kibana.alert.severity" }, "tags": { "type": "alias", "path": "kibana.alert.rule.tags" }, "threat": { "properties": { "framework": { "type": "alias", "path": "kibana.alert.rule.threat.framework" }, "tactic": { "properties": { "id": { "type": "alias", "path": "kibana.alert.rule.threat.tactic.id" }, "name": { "type": "alias", "path": "kibana.alert.rule.threat.tactic.name" }, "reference": { "type": "alias", "path": "kibana.alert.rule.threat.tactic.reference" } } }, "technique": { "properties": { "id": { "type": "alias", "path": "kibana.alert.rule.threat.technique.id" }, "name": { "type": "alias", "path": "kibana.alert.rule.threat.technique.name" }, "reference": { "type": "alias", "path": "kibana.alert.rule.threat.technique.reference" }, "subtechnique": { "properties": { "id": { "type": "alias", "path": "kibana.alert.rule.threat.technique.subtechnique.id" }, "name": { "type": "alias", "path": "kibana.alert.rule.threat.technique.subtechnique.name" }, "reference": { "type": "alias", "path": "kibana.alert.rule.threat.technique.subtechnique.reference" } } } } } } }, "timeline_id": { "type": "alias", "path": "kibana.alert.rule.timeline_id" }, "timeline_title": { "type": "alias", "path": "kibana.alert.rule.timeline_title" }, "timestamp_override": { "type": "alias", "path": "kibana.alert.rule.timestamp_override" }, "to": { "type": "alias", "path": "kibana.alert.rule.to" }, "type": { "type": "alias", "path": "kibana.alert.rule.type" }, "updated_at": { "type": "alias", "path": "kibana.alert.rule.updated_at" }, "updated_by": { "type": "alias", "path": "kibana.alert.rule.updated_by" }, "version": { "type": "alias", "path": "kibana.alert.rule.version" } } }, "status": { "type": "alias", "path": "kibana.alert.workflow_status" }, "threshold_result": { "properties": { "cardinality": { "properties": { "field": { "type": "alias", "path": "kibana.alert.threshold_result.cardinality.field" }, "value": { "type": "alias", "path": "kibana.alert.threshold_result.cardinality.value" } } }, "count": { "type": "alias", "path": "kibana.alert.threshold_result.count" }, "from": { "type": "alias", "path": "kibana.alert.threshold_result.from" }, "terms": { "properties": { "field": { "type": "alias", "path": "kibana.alert.threshold_result.terms.field" }, "value": { "type": "alias", "path": "kibana.alert.threshold_result.terms.value" } } } } } } }, "source": { "properties": { "address": { "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "user": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "span": { "properties": { "id": { "type": "keyword" } } }, "tags": { "type": "keyword" }, "threat": { "properties": { "enrichments": { "type": "nested", "properties": { "indicator": { "properties": { "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "confidence": { "type": "keyword" }, "description": { "type": "keyword" }, "email": { "properties": { "address": { "type": "keyword" } } }, "file": { "properties": { "accessed": { "type": "date" }, "attributes": { "type": "keyword" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "created": { "type": "date" }, "ctime": { "type": "date" }, "device": { "type": "keyword" }, "directory": { "type": "keyword" }, "drive_letter": { "type": "keyword" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "extension": { "type": "keyword" }, "fork_name": { "type": "keyword" }, "gid": { "type": "keyword" }, "group": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "inode": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "mode": { "type": "keyword" }, "mtime": { "type": "date" }, "name": { "type": "keyword" }, "owner": { "type": "keyword" }, "path": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "size": { "type": "long" }, "target_path": { "type": "keyword" }, "type": { "type": "keyword" }, "uid": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "first_seen": { "type": "date" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "last_seen": { "type": "date" }, "marking": { "properties": { "tlp": { "type": "keyword" } } }, "modified_at": { "type": "date" }, "port": { "type": "long" }, "provider": { "type": "keyword" }, "reference": { "type": "keyword" }, "registry": { "properties": { "data": { "properties": { "bytes": { "type": "keyword" }, "strings": { "type": "wildcard" }, "type": { "type": "keyword" } } }, "hive": { "type": "keyword" }, "key": { "type": "keyword" }, "path": { "type": "keyword" }, "value": { "type": "keyword" } } }, "scanner_stats": { "type": "long" }, "sightings": { "type": "long" }, "type": { "type": "keyword" }, "url": { "properties": { "domain": { "type": "keyword" }, "extension": { "type": "keyword" }, "fragment": { "type": "keyword" }, "full": { "type": "wildcard" }, "original": { "type": "wildcard" }, "password": { "type": "keyword" }, "path": { "type": "wildcard" }, "port": { "type": "long" }, "query": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "scheme": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "username": { "type": "keyword" } } }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "matched": { "properties": { "atomic": { "type": "keyword" }, "field": { "type": "keyword" }, "id": { "type": "keyword" }, "index": { "type": "keyword" }, "type": { "type": "keyword" } } } } }, "framework": { "type": "keyword" }, "group": { "properties": { "alias": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } }, "indicator": { "properties": { "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "confidence": { "type": "keyword" }, "description": { "type": "keyword" }, "email": { "properties": { "address": { "type": "keyword" } } }, "file": { "properties": { "accessed": { "type": "date" }, "attributes": { "type": "keyword" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "created": { "type": "date" }, "ctime": { "type": "date" }, "device": { "type": "keyword" }, "directory": { "type": "keyword" }, "drive_letter": { "type": "keyword" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "extension": { "type": "keyword" }, "fork_name": { "type": "keyword" }, "gid": { "type": "keyword" }, "group": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "inode": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "mode": { "type": "keyword" }, "mtime": { "type": "date" }, "name": { "type": "keyword" }, "owner": { "type": "keyword" }, "path": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "size": { "type": "long" }, "target_path": { "type": "keyword" }, "type": { "type": "keyword" }, "uid": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "first_seen": { "type": "date" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "last_seen": { "type": "date" }, "marking": { "properties": { "tlp": { "type": "keyword" } } }, "modified_at": { "type": "date" }, "port": { "type": "long" }, "provider": { "type": "keyword" }, "reference": { "type": "keyword" }, "registry": { "properties": { "data": { "properties": { "bytes": { "type": "keyword" }, "strings": { "type": "wildcard" }, "type": { "type": "keyword" } } }, "hive": { "type": "keyword" }, "key": { "type": "keyword" }, "path": { "type": "keyword" }, "value": { "type": "keyword" } } }, "scanner_stats": { "type": "long" }, "sightings": { "type": "long" }, "type": { "type": "keyword" }, "url": { "properties": { "domain": { "type": "keyword" }, "extension": { "type": "keyword" }, "fragment": { "type": "keyword" }, "full": { "type": "wildcard" }, "original": { "type": "wildcard" }, "password": { "type": "keyword" }, "path": { "type": "wildcard" }, "port": { "type": "long" }, "query": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "scheme": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "username": { "type": "keyword" } } }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "software": { "properties": { "alias": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "platforms": { "type": "keyword" }, "reference": { "type": "keyword" }, "type": { "type": "keyword" } } }, "tactic": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } }, "technique": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" }, "subtechnique": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } } } } } }, "tls": { "properties": { "cipher": { "type": "keyword" }, "client": { "properties": { "certificate": { "type": "keyword" }, "certificate_chain": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" } } }, "issuer": { "type": "keyword" }, "ja3": { "type": "keyword" }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "server_name": { "type": "keyword" }, "subject": { "type": "keyword" }, "supported_ciphers": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "curve": { "type": "keyword" }, "established": { "type": "boolean" }, "next_protocol": { "type": "keyword" }, "resumed": { "type": "boolean" }, "server": { "properties": { "certificate": { "type": "keyword" }, "certificate_chain": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" } } }, "issuer": { "type": "keyword" }, "ja3s": { "type": "keyword" }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "subject": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "version": { "type": "keyword" }, "version_protocol": { "type": "keyword" } } }, "trace": { "properties": { "id": { "type": "keyword" } } }, "transaction": { "properties": { "id": { "type": "keyword" } } }, "url": { "properties": { "domain": { "type": "keyword" }, "extension": { "type": "keyword" }, "fragment": { "type": "keyword" }, "full": { "type": "wildcard" }, "original": { "type": "wildcard" }, "password": { "type": "keyword" }, "path": { "type": "wildcard" }, "port": { "type": "long" }, "query": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "scheme": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "username": { "type": "keyword" } } }, "user": { "properties": { "changes": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } }, "domain": { "type": "keyword" }, "effective": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" }, "target": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "user_agent": { "properties": { "device": { "properties": { "name": { "type": "keyword" } } }, "name": { "type": "keyword" }, "original": { "type": "keyword" }, "os": { "properties": { "family": { "type": "keyword" }, "full": { "type": "keyword" }, "kernel": { "type": "keyword" }, "name": { "type": "keyword" }, "platform": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "version": { "type": "keyword" } } }, "vulnerability": { "properties": { "category": { "type": "keyword" }, "classification": { "type": "keyword" }, "description": { "type": "keyword" }, "enumeration": { "type": "keyword" }, "id": { "type": "keyword" }, "reference": { "type": "keyword" }, "report_id": { "type": "keyword" }, "scanner": { "properties": { "vendor": { "type": "keyword" } } }, "score": { "properties": { "base": { "type": "float" }, "environmental": { "type": "float" }, "temporal": { "type": "float" }, "version": { "type": "keyword" } } }, "severity": { "type": "keyword" } } } } } } } ```

MadameSheema commented 2 years ago

8.4.0-not working scenario:

Alert details flyout

Full alert JSON

```json { "_index": ".internal.alerts-security.alerts-default-000001", "_id": "2d360f59625bed7f0d3ed078bd760655a1b15123aedf79d346535c11dbd8fb23", "_score": 1, "fields": { "kibana.alert.severity": [ "low" ], "system.audit.package.name": [ "leptonica" ], "kibana.alert.rule.updated_by": [ "2448431502" ], "signal.ancestors.depth": [ 0 ], "event.category": [ "package" ], "host.hostname": [ "MacBook-Pro-de-Gloria.local" ], "system.audit.package.url": [ "http://www.leptonica.org/" ], "host.mac": [ "3e:76:0c:03:1f:17", "82:70:c6:c2:3c:00", "82:70:c6:c2:3c:01", "82:70:c6:c2:3c:04", "82:70:c6:c2:3c:05", "a4:83:e7:ae:5a:b6", "a6:83:e7:ae:5a:b6", "ac:de:48:00:11:22" ], "service.type": [ "system" ], "system.audit.package.version": [ "1.81.1" ], "kibana.alert.ancestors.depth": [ 0 ], "signal.rule.enabled": [ "true" ], "host.os.version": [ "12.4" ], "signal.rule.max_signals": [ 100 ], "kibana.alert.risk_score": [ 21 ], "signal.rule.updated_at": [ "2022-07-29T08:59:13.930Z" ], "agent.name": [ "MacBook-Pro-de-Gloria.local" ], "kibana.alert.original_event.id": [ "16a69c82-3df1-48c1-b1c0-e47d9bf79b28" ], "host.os.type": [ "macos" ], "package.reference": [ "http://www.leptonica.org/" ], "kibana.alert.original_event.module": [ "system" ], "kibana.alert.rule.interval": [ "1h" ], "kibana.alert.rule.type": [ "threat_match" ], "agent.hostname": [ "MacBook-Pro-de-Gloria.local" ], "host.architecture": [ "x86_64" ], "kibana.alert.rule.immutable": [ "false" ], "kibana.alert.original_event.type": [ "info" ], "agent.id": [ "8750629e-a4af-45a9-98fe-ccd5e4a861fa" ], "signal.original_event.module": [ "system" ], "signal.rule.from": [ "now-176400s" ], "kibana.alert.rule.enabled": [ "true" ], "kibana.alert.rule.version": [ "4" ], "kibana.alert.ancestors.type": [ "event" ], "signal.ancestors.index": [ ".ds-auditbeat-8.3.2-2022.07.29-000001" ], "host.ip": [ "fe80::aede:48ff:fe00:1122", "fe80::10ff:64f8:b4bc:2329", "192.168.5.172", "fe80::3c76:cff:fe03:1f17", "fe80::3c76:cff:fe03:1f17", "fe80::df83:a87a:a769:c7b1", "fe80::dcc4:e5ef:c40e:47ee", "fe80::ce81:b1c:bd2c:69e", "fe80::a3ad:7f35:30a0:7ae7", "fe80::98d2:a278:a3af:d440", "fe80::1cef:13da:47cb:27db", "fe80::4d47:f87a:ebd6:ff29" ], "agent.type": [ "auditbeat" ], "signal.original_event.category": [ "package" ], "signal.original_event.id": [ "16a69c82-3df1-48c1-b1c0-e47d9bf79b28" ], "threat.enrichments": [ { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "FFEtSYIBZ61VHL7LvV2j" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "E1EtSYIBZ61VHL7Ltl3m" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.architecture" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "E1EtSYIBZ61VHL7Ltl3m" ], "matched.atomic": [ "x86_64" ] }, { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "E1EtSYIBZ61VHL7Ltl3m" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "CFErSYIBZ61VHL7LIV1N" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "omInSYIBTdNg2EzzgtoB" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "omInSYIBTdNg2EzzgtoB" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.architecture" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "tWItSYIBTdNg2Ezzs9pE" ], "matched.atomic": [ "x86_64" ] }, { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "tWItSYIBTdNg2Ezzs9pE" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "tWItSYIBTdNg2Ezzs9pE" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.architecture" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "FFEtSYIBZ61VHL7LvV2j" ], "matched.atomic": [ "x86_64" ] }, { "matched.field": [ "host.name" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "CFErSYIBZ61VHL7LIV1N" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] }, { "matched.field": [ "host.architecture" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "CFErSYIBZ61VHL7LIV1N" ], "matched.atomic": [ "x86_64" ] }, { "matched.field": [ "host.hostname" ], "matched.index": [ "im" ], "matched.type": [ "indicator_match_rule" ], "matched.id": [ "FFEtSYIBZ61VHL7LvV2j" ], "matched.atomic": [ "MacBook-Pro-de-Gloria.local" ] } ], "package.name": [ "leptonica" ], "host.id": [ "55426D64-79AB-547C-81DA-440AB8F5DDD2" ], "signal.original_event.type": [ "info" ], "kibana.alert.rule.max_signals": [ 100 ], "kibana.alert.rule.risk_score": [ 21 ], "signal.original_event.dataset": [ "package" ], "kibana.alert.rule.consumer": [ "siem" ], "kibana.alert.rule.category": [ "Indicator Match Rule" ], "event.action": [ "existing_package" ], "signal.rule.updated_by": [ "2448431502" ], "@timestamp": [ "2022-07-29T08:59:19.547Z" ], "kibana.alert.original_event.action": [ "existing_package" ], "host.os.platform": [ "darwin" ], "kibana.alert.rule.severity": [ "low" ], "agent.ephemeral_id": [ "dadb8574-0b2d-4904-bfc0-70ada5424469" ], "kibana.alert.uuid": [ "2d360f59625bed7f0d3ed078bd760655a1b15123aedf79d346535c11dbd8fb23" ], "kibana.alert.rule.execution.uuid": [ "3342e967-1539-4a59-87c5-50fae1aab560" ], "kibana.alert.rule.meta.kibana_siem_app_url": [ "https://im.kb.europe-west1.gcp.cloud.es.io:9243/app/security" ], "kibana.version": [ "8.3.3" ], "event.id": [ "16a69c82-3df1-48c1-b1c0-e47d9bf79b28" ], "signal.rule.license": [ "" ], "signal.ancestors.type": [ "event" ], "kibana.alert.rule.rule_id": [ "79aa78b0-efaa-41b4-9142-d5def5f961f8" ], "signal.rule.type": [ "threat_match" ], "kibana.alert.ancestors.id": [ "WlEgSYIBZ61VHL7LSlxa" ], "kibana.alert.rule.description": [ "descr" ], "system.audit.package.summary": [ "Image processing and image analysis library" ], "kibana.alert.rule.producer": [ "siem" ], "signal.rule.created_by": [ "2448431502" ], "signal.rule.interval": [ "1h" ], "kibana.alert.rule.to": [ "now" ], "kibana.alert.rule.created_by": [ "2448431502" ], "package.type": [ "brew" ], "signal.rule.id": [ "d59e2c00-0f1b-11ed-afce-3b3631753197" ], "signal.reason": [ "package event on MacBook-Pro-de-Gloria.local created low alert test." ], "signal.rule.risk_score": [ 21 ], "host.os.name": [ "macOS" ], "kibana.alert.rule.name": [ "test" ], "host.name": [ "MacBook-Pro-de-Gloria.local" ], "signal.status": [ "open" ], "event.kind": [ "signal" ], "signal.rule.created_at": [ "2022-07-29T08:52:55.050Z" ], "package.version": [ "1.81.1" ], "kibana.alert.workflow_status": [ "open" ], "kibana.alert.rule.uuid": [ "d59e2c00-0f1b-11ed-afce-3b3631753197" ], "kibana.alert.original_event.category": [ "package" ], "kibana.alert.reason": [ "package event on MacBook-Pro-de-Gloria.local created low alert test." ], "signal.original_time": [ "2022-07-29T08:43:47.832Z" ], "signal.ancestors.id": [ "WlEgSYIBZ61VHL7LSlxa" ], "system.audit.package.entity_id": [ "D8So5r6nJlRQmEda" ], "ecs.version": [ "8.0.0" ], "signal.rule.severity": [ "low" ], "kibana.alert.ancestors.index": [ ".ds-auditbeat-8.3.2-2022.07.29-000001" ], "package.installed": [ "2021-07-01T08:50:45.051Z" ], "kibana.alert.depth": [ 1 ], "agent.version": [ "8.3.2" ], "host.os.family": [ "darwin" ], "kibana.alert.rule.from": [ "now-176400s" ], "kibana.alert.rule.parameters": [ { "severity_mapping": [], "references": [], "threat_language": "kuery", "description": "descr", "language": "kuery", "threat_mapping": [ { "entries": [ { "field": "host.name", "type": "mapping", "value": "indicator1" }, { "field": "host.architecture", "type": "mapping", "value": "indicator2" }, { "field": "host.hostname", "type": "mapping", "value": "indicator3" } ] } ], "type": "threat_match", "threat_filters": [], "exceptions_list": [], "from": "now-176400s", "severity": "low", "max_signals": 100, "risk_score": 21, "risk_score_mapping": [], "author": [], "threat_indicator_path": "threat.indicator", "query": "*:*", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "filters": [], "version": 4, "threat_query": "@timestamp >= \"now-30d/d\"", "rule_id": "79aa78b0-efaa-41b4-9142-d5def5f961f8", "license": "", "required_fields": [], "immutable": false, "related_integrations": [], "threat_index": [ "im" ], "meta": { "from": "48h", "kibana_siem_app_url": "https://im.kb.europe-west1.gcp.cloud.es.io:9243/app/security" }, "setup": "", "false_positives": [], "threat": [], "to": "now" } ], "signal.rule.version": [ "4" ], "signal.original_event.kind": [ "state" ], "system.audit.package.installtime": [ "2021-07-01T08:50:45.051Z" ], "kibana.alert.status": [ "active" ], "signal.depth": [ 1 ], "kibana.alert.original_event.dataset": [ "package" ], "signal.rule.immutable": [ "false" ], "host.os.build": [ "21F79" ], "kibana.alert.rule.rule_type_id": [ "siem.indicatorRule" ], "signal.rule.name": [ "test" ], "event.module": [ "system" ], "signal.rule.rule_id": [ "79aa78b0-efaa-41b4-9142-d5def5f961f8" ], "host.os.kernel": [ "21.5.0" ], "kibana.alert.rule.license": [ "" ], "kibana.alert.original_event.kind": [ "state" ], "kibana.alert.rule.updated_at": [ "2022-07-29T08:59:13.930Z" ], "signal.rule.description": [ "descr" ], "message": [ "Package leptonica (1.81.1) is already installed" ], "signal.original_event.action": [ "existing_package" ], "kibana.alert.rule.created_at": [ "2022-07-29T08:52:55.050Z" ], "signal.rule.to": [ "now" ], "event.type": [ "info" ], "package.description": [ "Image processing and image analysis library" ], "kibana.space_ids": [ "default" ], "kibana.alert.rule.meta.from": [ "48h" ], "event.dataset": [ "package" ], "kibana.alert.original_time": [ "2022-07-29T08:43:47.832Z" ] } } ```

Alert mapping

```json { ".internal.alerts-security.alerts-default-000001": { "mappings": { "dynamic": "false", "_meta": { "namespace": "default", "kibana": { "version": "8.3.3" } }, "properties": { "@timestamp": { "type": "date" }, "agent": { "properties": { "build": { "properties": { "original": { "type": "keyword" } } }, "ephemeral_id": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "client": { "properties": { "address": { "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "user": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "cloud": { "properties": { "account": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "availability_zone": { "type": "keyword" }, "instance": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "machine": { "properties": { "type": { "type": "keyword" } } }, "origin": { "properties": { "account": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "availability_zone": { "type": "keyword" }, "instance": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "machine": { "properties": { "type": { "type": "keyword" } } }, "project": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "provider": { "type": "keyword" }, "region": { "type": "keyword" }, "service": { "properties": { "name": { "type": "keyword" } } } } }, "project": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "provider": { "type": "keyword" }, "region": { "type": "keyword" }, "service": { "properties": { "name": { "type": "keyword" } } }, "target": { "properties": { "account": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "availability_zone": { "type": "keyword" }, "instance": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "machine": { "properties": { "type": { "type": "keyword" } } }, "project": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "provider": { "type": "keyword" }, "region": { "type": "keyword" }, "service": { "properties": { "name": { "type": "keyword" } } } } } } }, "container": { "properties": { "id": { "type": "keyword" }, "image": { "properties": { "name": { "type": "keyword" }, "tag": { "type": "keyword" } } }, "labels": { "type": "object" }, "name": { "type": "keyword" }, "runtime": { "type": "keyword" } } }, "destination": { "properties": { "address": { "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "user": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "dll": { "properties": { "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "name": { "type": "keyword" }, "path": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } } } }, "dns": { "properties": { "answers": { "properties": { "class": { "type": "keyword" }, "data": { "type": "keyword" }, "name": { "type": "keyword" }, "ttl": { "type": "long" }, "type": { "type": "keyword" } } }, "header_flags": { "type": "keyword" }, "id": { "type": "keyword" }, "op_code": { "type": "keyword" }, "question": { "properties": { "class": { "type": "keyword" }, "name": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "type": { "type": "keyword" } } }, "resolved_ip": { "type": "ip" }, "response_code": { "type": "keyword" }, "type": { "type": "keyword" } } }, "ecs": { "properties": { "version": { "type": "keyword" } } }, "error": { "properties": { "code": { "type": "keyword" }, "id": { "type": "keyword" }, "message": { "type": "match_only_text" }, "stack_trace": { "type": "wildcard" }, "type": { "type": "keyword" } } }, "event": { "properties": { "action": { "type": "keyword" }, "agent_id_status": { "type": "keyword" }, "category": { "type": "keyword" }, "code": { "type": "keyword" }, "created": { "type": "date" }, "dataset": { "type": "keyword" }, "duration": { "type": "long" }, "end": { "type": "date" }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "ingested": { "type": "date" }, "kind": { "type": "keyword" }, "module": { "type": "keyword" }, "original": { "type": "keyword" }, "outcome": { "type": "keyword" }, "provider": { "type": "keyword" }, "reason": { "type": "keyword" }, "reference": { "type": "keyword" }, "risk_score": { "type": "float" }, "risk_score_norm": { "type": "float" }, "sequence": { "type": "long" }, "severity": { "type": "long" }, "start": { "type": "date" }, "timezone": { "type": "keyword" }, "type": { "type": "keyword" }, "url": { "type": "keyword" } } }, "faas": { "properties": { "coldstart": { "type": "boolean" }, "execution": { "type": "keyword" }, "trigger": { "type": "nested", "properties": { "request_id": { "type": "keyword" }, "type": { "type": "keyword" } } } } }, "file": { "properties": { "accessed": { "type": "date" }, "attributes": { "type": "keyword" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "created": { "type": "date" }, "ctime": { "type": "date" }, "device": { "type": "keyword" }, "directory": { "type": "keyword" }, "drive_letter": { "type": "keyword" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "extension": { "type": "keyword" }, "fork_name": { "type": "keyword" }, "gid": { "type": "keyword" }, "group": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "inode": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "mode": { "type": "keyword" }, "mtime": { "type": "date" }, "name": { "type": "keyword" }, "owner": { "type": "keyword" }, "path": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "size": { "type": "long" }, "target_path": { "type": "keyword" }, "type": { "type": "keyword" }, "uid": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "host": { "properties": { "architecture": { "type": "keyword" }, "cpu": { "properties": { "usage": { "type": "scaled_float", "scaling_factor": 1000 } } }, "disk": { "properties": { "read": { "properties": { "bytes": { "type": "long" } } }, "write": { "properties": { "bytes": { "type": "long" } } } } }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "hostname": { "type": "keyword" }, "id": { "type": "keyword" }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "name": { "type": "keyword" }, "network": { "properties": { "egress": { "properties": { "bytes": { "type": "long" }, "packets": { "type": "long" } } }, "ingress": { "properties": { "bytes": { "type": "long" }, "packets": { "type": "long" } } } } }, "os": { "properties": { "family": { "type": "keyword" }, "full": { "type": "keyword" }, "kernel": { "type": "keyword" }, "name": { "type": "keyword" }, "platform": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "type": { "type": "keyword" }, "uptime": { "type": "long" } } }, "http": { "properties": { "request": { "properties": { "body": { "properties": { "bytes": { "type": "long" }, "content": { "type": "wildcard" } } }, "bytes": { "type": "long" }, "id": { "type": "keyword" }, "method": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "referrer": { "type": "keyword" } } }, "response": { "properties": { "body": { "properties": { "bytes": { "type": "long" }, "content": { "type": "wildcard" } } }, "bytes": { "type": "long" }, "mime_type": { "type": "keyword" }, "status_code": { "type": "long" } } }, "version": { "type": "keyword" } } }, "kibana": { "properties": { "alert": { "properties": { "action_group": { "type": "keyword" }, "ancestors": { "properties": { "depth": { "type": "long" }, "id": { "type": "keyword" }, "index": { "type": "keyword" }, "rule": { "type": "keyword" }, "type": { "type": "keyword" } } }, "building_block_type": { "type": "keyword" }, "depth": { "type": "long" }, "duration": { "properties": { "us": { "type": "long" } } }, "end": { "type": "date" }, "group": { "properties": { "id": { "type": "keyword" }, "index": { "type": "integer" } } }, "original_event": { "properties": { "action": { "type": "keyword" }, "agent_id_status": { "type": "keyword" }, "category": { "type": "keyword" }, "code": { "type": "keyword" }, "created": { "type": "date" }, "dataset": { "type": "keyword" }, "duration": { "type": "keyword" }, "end": { "type": "date" }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "ingested": { "type": "date" }, "kind": { "type": "keyword" }, "module": { "type": "keyword" }, "original": { "type": "keyword" }, "outcome": { "type": "keyword" }, "provider": { "type": "keyword" }, "reason": { "type": "keyword" }, "reference": { "type": "keyword" }, "risk_score": { "type": "float" }, "risk_score_norm": { "type": "float" }, "sequence": { "type": "long" }, "severity": { "type": "long" }, "start": { "type": "date" }, "timezone": { "type": "keyword" }, "type": { "type": "keyword" }, "url": { "type": "keyword" } } }, "original_time": { "type": "date" }, "reason": { "type": "keyword" }, "risk_score": { "type": "float" }, "rule": { "properties": { "author": { "type": "keyword" }, "building_block_type": { "type": "keyword" }, "category": { "type": "keyword" }, "consumer": { "type": "keyword" }, "created_at": { "type": "date" }, "created_by": { "type": "keyword" }, "description": { "type": "keyword" }, "enabled": { "type": "keyword" }, "exceptions_list": { "type": "object" }, "execution": { "properties": { "uuid": { "type": "keyword" } } }, "false_positives": { "type": "keyword" }, "from": { "type": "keyword" }, "immutable": { "type": "keyword" }, "interval": { "type": "keyword" }, "license": { "type": "keyword" }, "max_signals": { "type": "long" }, "name": { "type": "keyword" }, "note": { "type": "keyword" }, "parameters": { "type": "flattened", "ignore_above": 4096 }, "producer": { "type": "keyword" }, "references": { "type": "keyword" }, "rule_id": { "type": "keyword" }, "rule_name_override": { "type": "keyword" }, "rule_type_id": { "type": "keyword" }, "tags": { "type": "keyword" }, "threat": { "properties": { "framework": { "type": "keyword" }, "tactic": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } }, "technique": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" }, "subtechnique": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } } } } } }, "timeline_id": { "type": "keyword" }, "timeline_title": { "type": "keyword" }, "timestamp_override": { "type": "keyword" }, "to": { "type": "keyword" }, "type": { "type": "keyword" }, "updated_at": { "type": "date" }, "updated_by": { "type": "keyword" }, "uuid": { "type": "keyword" }, "version": { "type": "keyword" } } }, "severity": { "type": "keyword" }, "start": { "type": "date" }, "status": { "type": "keyword" }, "system_status": { "type": "keyword" }, "threshold_result": { "properties": { "cardinality": { "properties": { "field": { "type": "keyword" }, "value": { "type": "long" } } }, "count": { "type": "long" }, "from": { "type": "date" }, "terms": { "properties": { "field": { "type": "keyword" }, "value": { "type": "keyword" } } } } }, "uuid": { "type": "keyword" }, "workflow_reason": { "type": "keyword" }, "workflow_status": { "type": "keyword" }, "workflow_user": { "type": "keyword" } } }, "space_ids": { "type": "keyword" }, "version": { "type": "version" } } }, "labels": { "type": "object" }, "log": { "properties": { "file": { "properties": { "path": { "type": "keyword" } } }, "level": { "type": "keyword" }, "logger": { "type": "keyword" }, "origin": { "properties": { "file": { "properties": { "line": { "type": "long" }, "name": { "type": "keyword" } } }, "function": { "type": "keyword" } } }, "syslog": { "properties": { "facility": { "properties": { "code": { "type": "long" }, "name": { "type": "keyword" } } }, "priority": { "type": "long" }, "severity": { "properties": { "code": { "type": "long" }, "name": { "type": "keyword" } } } } } } }, "message": { "type": "match_only_text" }, "network": { "properties": { "application": { "type": "keyword" }, "bytes": { "type": "long" }, "community_id": { "type": "keyword" }, "direction": { "type": "keyword" }, "forwarded_ip": { "type": "ip" }, "iana_number": { "type": "keyword" }, "inner": { "properties": { "vlan": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } } } }, "name": { "type": "keyword" }, "packets": { "type": "long" }, "protocol": { "type": "keyword" }, "transport": { "type": "keyword" }, "type": { "type": "keyword" }, "vlan": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } } } }, "observer": { "properties": { "egress": { "properties": { "interface": { "properties": { "alias": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "vlan": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "zone": { "type": "keyword" } } }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "hostname": { "type": "keyword" }, "ingress": { "properties": { "interface": { "properties": { "alias": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "vlan": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "zone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "name": { "type": "keyword" }, "os": { "properties": { "family": { "type": "keyword" }, "full": { "type": "keyword" }, "kernel": { "type": "keyword" }, "name": { "type": "keyword" }, "platform": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "product": { "type": "keyword" }, "serial_number": { "type": "keyword" }, "type": { "type": "keyword" }, "vendor": { "type": "keyword" }, "version": { "type": "keyword" } } }, "orchestrator": { "properties": { "api_version": { "type": "keyword" }, "cluster": { "properties": { "name": { "type": "keyword" }, "url": { "type": "keyword" }, "version": { "type": "keyword" } } }, "namespace": { "type": "keyword" }, "organization": { "type": "keyword" }, "resource": { "properties": { "name": { "type": "keyword" }, "type": { "type": "keyword" } } }, "type": { "type": "keyword" } } }, "organization": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "package": { "properties": { "architecture": { "type": "keyword" }, "build_version": { "type": "keyword" }, "checksum": { "type": "keyword" }, "description": { "type": "keyword" }, "install_scope": { "type": "keyword" }, "installed": { "type": "date" }, "license": { "type": "keyword" }, "name": { "type": "keyword" }, "path": { "type": "keyword" }, "reference": { "type": "keyword" }, "size": { "type": "long" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "process": { "properties": { "args": { "type": "keyword" }, "args_count": { "type": "long" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "command_line": { "type": "wildcard" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "end": { "type": "date" }, "entity_id": { "type": "keyword" }, "entry_leader": { "properties": { "entity_id": { "type": "keyword" } } }, "executable": { "type": "keyword" }, "exit_code": { "type": "long" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "name": { "type": "keyword" }, "parent": { "properties": { "args": { "type": "keyword" }, "args_count": { "type": "long" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "command_line": { "type": "wildcard" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "end": { "type": "date" }, "entity_id": { "type": "keyword" }, "executable": { "type": "keyword" }, "exit_code": { "type": "long" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "name": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "pgid": { "type": "long" }, "pid": { "type": "long" }, "start": { "type": "date" }, "thread": { "properties": { "id": { "type": "long" }, "name": { "type": "keyword" } } }, "title": { "type": "keyword" }, "uptime": { "type": "long" }, "working_directory": { "type": "keyword" } } }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "pgid": { "type": "long" }, "pid": { "type": "long" }, "session_leader": { "properties": { "entity_id": { "type": "keyword" } } }, "start": { "type": "date" }, "thread": { "properties": { "id": { "type": "long" }, "name": { "type": "keyword" } } }, "title": { "type": "keyword" }, "uptime": { "type": "long" }, "working_directory": { "type": "keyword" } } }, "registry": { "properties": { "data": { "properties": { "bytes": { "type": "keyword" }, "strings": { "type": "wildcard" }, "type": { "type": "keyword" } } }, "hive": { "type": "keyword" }, "key": { "type": "keyword" }, "path": { "type": "keyword" }, "value": { "type": "keyword" } } }, "related": { "properties": { "hash": { "type": "keyword" }, "hosts": { "type": "keyword" }, "ip": { "type": "ip" }, "user": { "type": "keyword" } } }, "rule": { "properties": { "author": { "type": "keyword" }, "category": { "type": "keyword" }, "description": { "type": "keyword" }, "id": { "type": "keyword" }, "license": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" }, "ruleset": { "type": "keyword" }, "uuid": { "type": "keyword" }, "version": { "type": "keyword" } } }, "server": { "properties": { "address": { "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "user": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "service": { "properties": { "address": { "type": "keyword" }, "environment": { "type": "keyword" }, "ephemeral_id": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "node": { "properties": { "name": { "type": "keyword" } } }, "origin": { "properties": { "address": { "type": "keyword" }, "environment": { "type": "keyword" }, "ephemeral_id": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "node": { "properties": { "name": { "type": "keyword" } } }, "state": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "state": { "type": "keyword" }, "target": { "properties": { "address": { "type": "keyword" }, "environment": { "type": "keyword" }, "ephemeral_id": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "node": { "properties": { "name": { "type": "keyword" } } }, "state": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "signal": { "properties": { "ancestors": { "properties": { "depth": { "type": "alias", "path": "kibana.alert.ancestors.depth" }, "id": { "type": "alias", "path": "kibana.alert.ancestors.id" }, "index": { "type": "alias", "path": "kibana.alert.ancestors.index" }, "type": { "type": "alias", "path": "kibana.alert.ancestors.type" } } }, "depth": { "type": "alias", "path": "kibana.alert.depth" }, "group": { "properties": { "id": { "type": "alias", "path": "kibana.alert.group.id" }, "index": { "type": "alias", "path": "kibana.alert.group.index" } } }, "original_event": { "properties": { "action": { "type": "alias", "path": "kibana.alert.original_event.action" }, "category": { "type": "alias", "path": "kibana.alert.original_event.category" }, "code": { "type": "alias", "path": "kibana.alert.original_event.code" }, "created": { "type": "alias", "path": "kibana.alert.original_event.created" }, "dataset": { "type": "alias", "path": "kibana.alert.original_event.dataset" }, "duration": { "type": "alias", "path": "kibana.alert.original_event.duration" }, "end": { "type": "alias", "path": "kibana.alert.original_event.end" }, "hash": { "type": "alias", "path": "kibana.alert.original_event.hash" }, "id": { "type": "alias", "path": "kibana.alert.original_event.id" }, "kind": { "type": "alias", "path": "kibana.alert.original_event.kind" }, "module": { "type": "alias", "path": "kibana.alert.original_event.module" }, "outcome": { "type": "alias", "path": "kibana.alert.original_event.outcome" }, "provider": { "type": "alias", "path": "kibana.alert.original_event.provider" }, "reason": { "type": "alias", "path": "kibana.alert.original_event.reason" }, "risk_score": { "type": "alias", "path": "kibana.alert.original_event.risk_score" }, "risk_score_norm": { "type": "alias", "path": "kibana.alert.original_event.risk_score_norm" }, "sequence": { "type": "alias", "path": "kibana.alert.original_event.sequence" }, "severity": { "type": "alias", "path": "kibana.alert.original_event.severity" }, "start": { "type": "alias", "path": "kibana.alert.original_event.start" }, "timezone": { "type": "alias", "path": "kibana.alert.original_event.timezone" }, "type": { "type": "alias", "path": "kibana.alert.original_event.type" } } }, "original_time": { "type": "alias", "path": "kibana.alert.original_time" }, "reason": { "type": "alias", "path": "kibana.alert.reason" }, "rule": { "properties": { "author": { "type": "alias", "path": "kibana.alert.rule.author" }, "building_block_type": { "type": "alias", "path": "kibana.alert.building_block_type" }, "created_at": { "type": "alias", "path": "kibana.alert.rule.created_at" }, "created_by": { "type": "alias", "path": "kibana.alert.rule.created_by" }, "description": { "type": "alias", "path": "kibana.alert.rule.description" }, "enabled": { "type": "alias", "path": "kibana.alert.rule.enabled" }, "false_positives": { "type": "alias", "path": "kibana.alert.rule.false_positives" }, "from": { "type": "alias", "path": "kibana.alert.rule.from" }, "id": { "type": "alias", "path": "kibana.alert.rule.uuid" }, "immutable": { "type": "alias", "path": "kibana.alert.rule.immutable" }, "interval": { "type": "alias", "path": "kibana.alert.rule.interval" }, "license": { "type": "alias", "path": "kibana.alert.rule.license" }, "max_signals": { "type": "alias", "path": "kibana.alert.rule.max_signals" }, "name": { "type": "alias", "path": "kibana.alert.rule.name" }, "note": { "type": "alias", "path": "kibana.alert.rule.note" }, "references": { "type": "alias", "path": "kibana.alert.rule.references" }, "risk_score": { "type": "alias", "path": "kibana.alert.risk_score" }, "rule_id": { "type": "alias", "path": "kibana.alert.rule.rule_id" }, "rule_name_override": { "type": "alias", "path": "kibana.alert.rule.rule_name_override" }, "severity": { "type": "alias", "path": "kibana.alert.severity" }, "tags": { "type": "alias", "path": "kibana.alert.rule.tags" }, "threat": { "properties": { "framework": { "type": "alias", "path": "kibana.alert.rule.threat.framework" }, "tactic": { "properties": { "id": { "type": "alias", "path": "kibana.alert.rule.threat.tactic.id" }, "name": { "type": "alias", "path": "kibana.alert.rule.threat.tactic.name" }, "reference": { "type": "alias", "path": "kibana.alert.rule.threat.tactic.reference" } } }, "technique": { "properties": { "id": { "type": "alias", "path": "kibana.alert.rule.threat.technique.id" }, "name": { "type": "alias", "path": "kibana.alert.rule.threat.technique.name" }, "reference": { "type": "alias", "path": "kibana.alert.rule.threat.technique.reference" }, "subtechnique": { "properties": { "id": { "type": "alias", "path": "kibana.alert.rule.threat.technique.subtechnique.id" }, "name": { "type": "alias", "path": "kibana.alert.rule.threat.technique.subtechnique.name" }, "reference": { "type": "alias", "path": "kibana.alert.rule.threat.technique.subtechnique.reference" } } } } } } }, "timeline_id": { "type": "alias", "path": "kibana.alert.rule.timeline_id" }, "timeline_title": { "type": "alias", "path": "kibana.alert.rule.timeline_title" }, "timestamp_override": { "type": "alias", "path": "kibana.alert.rule.timestamp_override" }, "to": { "type": "alias", "path": "kibana.alert.rule.to" }, "type": { "type": "alias", "path": "kibana.alert.rule.type" }, "updated_at": { "type": "alias", "path": "kibana.alert.rule.updated_at" }, "updated_by": { "type": "alias", "path": "kibana.alert.rule.updated_by" }, "version": { "type": "alias", "path": "kibana.alert.rule.version" } } }, "status": { "type": "alias", "path": "kibana.alert.workflow_status" }, "threshold_result": { "properties": { "cardinality": { "properties": { "field": { "type": "alias", "path": "kibana.alert.threshold_result.cardinality.field" }, "value": { "type": "alias", "path": "kibana.alert.threshold_result.cardinality.value" } } }, "count": { "type": "alias", "path": "kibana.alert.threshold_result.count" }, "from": { "type": "alias", "path": "kibana.alert.threshold_result.from" }, "terms": { "properties": { "field": { "type": "alias", "path": "kibana.alert.threshold_result.terms.field" }, "value": { "type": "alias", "path": "kibana.alert.threshold_result.terms.value" } } } } } } }, "source": { "properties": { "address": { "type": "keyword" }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword" }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "user": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "span": { "properties": { "id": { "type": "keyword" } } }, "tags": { "type": "keyword" }, "threat": { "properties": { "enrichments": { "type": "nested", "properties": { "indicator": { "properties": { "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "confidence": { "type": "keyword" }, "description": { "type": "keyword" }, "email": { "properties": { "address": { "type": "keyword" } } }, "file": { "properties": { "accessed": { "type": "date" }, "attributes": { "type": "keyword" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "created": { "type": "date" }, "ctime": { "type": "date" }, "device": { "type": "keyword" }, "directory": { "type": "keyword" }, "drive_letter": { "type": "keyword" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "extension": { "type": "keyword" }, "fork_name": { "type": "keyword" }, "gid": { "type": "keyword" }, "group": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "inode": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "mode": { "type": "keyword" }, "mtime": { "type": "date" }, "name": { "type": "keyword" }, "owner": { "type": "keyword" }, "path": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "size": { "type": "long" }, "target_path": { "type": "keyword" }, "type": { "type": "keyword" }, "uid": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "first_seen": { "type": "date" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "last_seen": { "type": "date" }, "marking": { "properties": { "tlp": { "type": "keyword" } } }, "modified_at": { "type": "date" }, "port": { "type": "long" }, "provider": { "type": "keyword" }, "reference": { "type": "keyword" }, "registry": { "properties": { "data": { "properties": { "bytes": { "type": "keyword" }, "strings": { "type": "wildcard" }, "type": { "type": "keyword" } } }, "hive": { "type": "keyword" }, "key": { "type": "keyword" }, "path": { "type": "keyword" }, "value": { "type": "keyword" } } }, "scanner_stats": { "type": "long" }, "sightings": { "type": "long" }, "type": { "type": "keyword" }, "url": { "properties": { "domain": { "type": "keyword" }, "extension": { "type": "keyword" }, "fragment": { "type": "keyword" }, "full": { "type": "wildcard" }, "original": { "type": "wildcard" }, "password": { "type": "keyword" }, "path": { "type": "wildcard" }, "port": { "type": "long" }, "query": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "scheme": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "username": { "type": "keyword" } } }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "matched": { "properties": { "atomic": { "type": "keyword" }, "field": { "type": "keyword" }, "id": { "type": "keyword" }, "index": { "type": "keyword" }, "type": { "type": "keyword" } } } } }, "framework": { "type": "keyword" }, "group": { "properties": { "alias": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } }, "indicator": { "properties": { "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword" } } } } }, "confidence": { "type": "keyword" }, "description": { "type": "keyword" }, "email": { "properties": { "address": { "type": "keyword" } } }, "file": { "properties": { "accessed": { "type": "date" }, "attributes": { "type": "keyword" }, "code_signature": { "properties": { "digest_algorithm": { "type": "keyword" }, "exists": { "type": "boolean" }, "signing_id": { "type": "keyword" }, "status": { "type": "keyword" }, "subject_name": { "type": "keyword" }, "team_id": { "type": "keyword" }, "timestamp": { "type": "date" }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "created": { "type": "date" }, "ctime": { "type": "date" }, "device": { "type": "keyword" }, "directory": { "type": "keyword" }, "drive_letter": { "type": "keyword" }, "elf": { "properties": { "architecture": { "type": "keyword" }, "byte_order": { "type": "keyword" }, "cpu_type": { "type": "keyword" }, "creation_date": { "type": "date" }, "exports": { "type": "flattened" }, "header": { "properties": { "abi_version": { "type": "keyword" }, "class": { "type": "keyword" }, "data": { "type": "keyword" }, "entrypoint": { "type": "long" }, "object_version": { "type": "keyword" }, "os_abi": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "imports": { "type": "flattened" }, "sections": { "type": "nested", "properties": { "chi2": { "type": "long" }, "entropy": { "type": "long" }, "flags": { "type": "keyword" }, "name": { "type": "keyword" }, "physical_offset": { "type": "keyword" }, "physical_size": { "type": "long" }, "type": { "type": "keyword" }, "virtual_address": { "type": "long" }, "virtual_size": { "type": "long" } } }, "segments": { "type": "nested", "properties": { "sections": { "type": "keyword" }, "type": { "type": "keyword" } } }, "shared_libraries": { "type": "keyword" }, "telfhash": { "type": "keyword" } } }, "extension": { "type": "keyword" }, "fork_name": { "type": "keyword" }, "gid": { "type": "keyword" }, "group": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" }, "sha512": { "type": "keyword" }, "ssdeep": { "type": "keyword" } } }, "inode": { "type": "keyword" }, "mime_type": { "type": "keyword" }, "mode": { "type": "keyword" }, "mtime": { "type": "date" }, "name": { "type": "keyword" }, "owner": { "type": "keyword" }, "path": { "type": "keyword" }, "pe": { "properties": { "architecture": { "type": "keyword" }, "company": { "type": "keyword" }, "description": { "type": "keyword" }, "file_version": { "type": "keyword" }, "imphash": { "type": "keyword" }, "original_file_name": { "type": "keyword" }, "product": { "type": "keyword" } } }, "size": { "type": "long" }, "target_path": { "type": "keyword" }, "type": { "type": "keyword" }, "uid": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "first_seen": { "type": "date" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "country_name": { "type": "keyword" }, "location": { "type": "geo_point" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } }, "ip": { "type": "ip" }, "last_seen": { "type": "date" }, "marking": { "properties": { "tlp": { "type": "keyword" } } }, "modified_at": { "type": "date" }, "port": { "type": "long" }, "provider": { "type": "keyword" }, "reference": { "type": "keyword" }, "registry": { "properties": { "data": { "properties": { "bytes": { "type": "keyword" }, "strings": { "type": "wildcard" }, "type": { "type": "keyword" } } }, "hive": { "type": "keyword" }, "key": { "type": "keyword" }, "path": { "type": "keyword" }, "value": { "type": "keyword" } } }, "scanner_stats": { "type": "long" }, "sightings": { "type": "long" }, "type": { "type": "keyword" }, "url": { "properties": { "domain": { "type": "keyword" }, "extension": { "type": "keyword" }, "fragment": { "type": "keyword" }, "full": { "type": "wildcard" }, "original": { "type": "wildcard" }, "password": { "type": "keyword" }, "path": { "type": "wildcard" }, "port": { "type": "long" }, "query": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "scheme": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "username": { "type": "keyword" } } }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "software": { "properties": { "alias": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "platforms": { "type": "keyword" }, "reference": { "type": "keyword" }, "type": { "type": "keyword" } } }, "tactic": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } }, "technique": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" }, "subtechnique": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "reference": { "type": "keyword" } } } } } } }, "tls": { "properties": { "cipher": { "type": "keyword" }, "client": { "properties": { "certificate": { "type": "keyword" }, "certificate_chain": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" } } }, "issuer": { "type": "keyword" }, "ja3": { "type": "keyword" }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "server_name": { "type": "keyword" }, "subject": { "type": "keyword" }, "supported_ciphers": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "curve": { "type": "keyword" }, "established": { "type": "boolean" }, "next_protocol": { "type": "keyword" }, "resumed": { "type": "boolean" }, "server": { "properties": { "certificate": { "type": "keyword" }, "certificate_chain": { "type": "keyword" }, "hash": { "properties": { "md5": { "type": "keyword" }, "sha1": { "type": "keyword" }, "sha256": { "type": "keyword" } } }, "issuer": { "type": "keyword" }, "ja3s": { "type": "keyword" }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "subject": { "type": "keyword" }, "x509": { "properties": { "alternative_names": { "type": "keyword" }, "issuer": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword" }, "public_key_curve": { "type": "keyword" }, "public_key_exponent": { "type": "long" }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword" }, "signature_algorithm": { "type": "keyword" }, "subject": { "properties": { "common_name": { "type": "keyword" }, "country": { "type": "keyword" }, "distinguished_name": { "type": "keyword" }, "locality": { "type": "keyword" }, "organization": { "type": "keyword" }, "organizational_unit": { "type": "keyword" }, "state_or_province": { "type": "keyword" } } }, "version_number": { "type": "keyword" } } } } }, "version": { "type": "keyword" }, "version_protocol": { "type": "keyword" } } }, "trace": { "properties": { "id": { "type": "keyword" } } }, "transaction": { "properties": { "id": { "type": "keyword" } } }, "url": { "properties": { "domain": { "type": "keyword" }, "extension": { "type": "keyword" }, "fragment": { "type": "keyword" }, "full": { "type": "wildcard" }, "original": { "type": "wildcard" }, "password": { "type": "keyword" }, "path": { "type": "wildcard" }, "port": { "type": "long" }, "query": { "type": "keyword" }, "registered_domain": { "type": "keyword" }, "scheme": { "type": "keyword" }, "subdomain": { "type": "keyword" }, "top_level_domain": { "type": "keyword" }, "username": { "type": "keyword" } } }, "user": { "properties": { "changes": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } }, "domain": { "type": "keyword" }, "effective": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" }, "target": { "properties": { "domain": { "type": "keyword" }, "email": { "type": "keyword" }, "full_name": { "type": "keyword" }, "group": { "properties": { "domain": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "hash": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" }, "roles": { "type": "keyword" } } } } }, "user_agent": { "properties": { "device": { "properties": { "name": { "type": "keyword" } } }, "name": { "type": "keyword" }, "original": { "type": "keyword" }, "os": { "properties": { "family": { "type": "keyword" }, "full": { "type": "keyword" }, "kernel": { "type": "keyword" }, "name": { "type": "keyword" }, "platform": { "type": "keyword" }, "type": { "type": "keyword" }, "version": { "type": "keyword" } } }, "version": { "type": "keyword" } } }, "vulnerability": { "properties": { "category": { "type": "keyword" }, "classification": { "type": "keyword" }, "description": { "type": "keyword" }, "enumeration": { "type": "keyword" }, "id": { "type": "keyword" }, "reference": { "type": "keyword" }, "report_id": { "type": "keyword" }, "scanner": { "properties": { "vendor": { "type": "keyword" } } }, "score": { "properties": { "base": { "type": "float" }, "environmental": { "type": "float" }, "temporal": { "type": "float" }, "version": { "type": "keyword" } } }, "severity": { "type": "keyword" } } } } } } } ```

MadameSheema commented 2 years ago

I don't know if it is intended or not, but there is a clear mismatch on the Threat Intel number for the same alert after the upgrade is performed. I can provide you access to the instance if needed.

michaelolo24 commented 2 years ago

@MadameSheema @rylnd @YulNaumenko I haven't dug into the code yet, but I'm thinking what's happened is the removal of _source in favor of the fields api. The UI code that probably traverses the response may have traversed _source to show all the results and may not have been adapted to use fields instead, but that's my initial guess based on the alert json's provided

YulNaumenko commented 2 years ago

@MadameSheema could you please test it after the fix PR merged. The problem should disappear.

MadameSheema commented 2 years ago

@YulNaumenko I checked it on BC2 and looks like is working fine. I would like a couple of extra eyes to take a look at it and run a bit of exploratory testing on it. @deepikakeshav-qasource @karanbirsingh-qasource can you please help? Thanks

ghost commented 2 years ago

Hi @MadameSheema,

We have validated above issue on 8.4.0 BC2 and it's fixed. 🟢

Build Details:

VERSION: 8.4.0 BC2
BUILD: 55166
COMMIT: 9e9e0d6a685cbc2858a85a357f93dcb76259fdee

Screenshots:

Rule Details

Alerts Page

Thanks!

elastic / kibana

[Security Solution] UI breaks when you display the details of an IM alert with a match that happens several times #137412

8.3.3-working scenario:

8.4.0-not working scenario: