diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 85364d081e6..f92516c61a6 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -86,6 +86,7 @@
/packages/aws_bedrock/data_stream/invocation @elastic/security-service-integrations
/packages/aws_bedrock/data_stream/runtime @elastic/obs-infraobs-integrations
/packages/aws_billing @elastic/obs-infraobs-integrations
+/packages/aws_cloudtrail_otel @elastic/obs-infraobs-integrations
/packages/aws_logs @elastic/obs-ds-hosted-services
/packages/aws_mq @elastic/obs-infraobs-integrations
/packages/aws_bedrock_agentcore @elastic/obs-infraobs-integrations
diff --git a/.github/ISSUE_TEMPLATE/integration_bug.yml b/.github/ISSUE_TEMPLATE/integration_bug.yml
index b297a96b7af..28d310a4fff 100644
--- a/.github/ISSUE_TEMPLATE/integration_bug.yml
+++ b/.github/ISSUE_TEMPLATE/integration_bug.yml
@@ -24,6 +24,7 @@ body:
- Airlock Digital [airlock_digital]
- Akamai [akamai]
- AlienVault OTX [ti_otx]
+ - Amazon Bedrock AgentCore [aws_bedrock_agentcore]
- Amazon Bedrock [aws_bedrock]
- Amazon Data Firehose [awsfirehose]
- Amazon MQ [aws_mq]
diff --git a/.github/ISSUE_TEMPLATE/integration_feature_request.yml b/.github/ISSUE_TEMPLATE/integration_feature_request.yml
index 649d3e856c7..61d6fa334d3 100644
--- a/.github/ISSUE_TEMPLATE/integration_feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/integration_feature_request.yml
@@ -24,6 +24,7 @@ body:
- Airlock Digital [airlock_digital]
- Akamai [akamai]
- AlienVault OTX [ti_otx]
+ - Amazon Bedrock AgentCore [aws_bedrock_agentcore]
- Amazon Bedrock [aws_bedrock]
- Amazon Data Firehose [awsfirehose]
- Amazon MQ [aws_mq]
diff --git a/go.mod b/go.mod
index 4194c9066d2..2634d9bf51f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
module github.com/elastic/integrations
-go 1.25.0
+go 1.25.3
require (
github.com/Masterminds/semver/v3 v3.4.0
@@ -58,7 +58,11 @@ require (
github.com/cbroglie/mustache v1.4.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
+ github.com/charmbracelet/x/ansi v0.10.1 // indirect
github.com/cli/safeexec v1.0.0 // indirect
+ github.com/clipperhouse/displaywidth v0.3.1 // indirect
+ github.com/clipperhouse/stringish v0.1.1 // indirect
+ github.com/clipperhouse/uax29/v2 v2.2.0 // indirect
github.com/cloudflare/circl v1.6.1 // indirect
github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
github.com/creack/pty v1.1.19 // indirect
@@ -74,7 +78,7 @@ require (
github.com/elastic/go-windows v1.0.2 // indirect
github.com/elastic/gojsonschema v1.2.1 // indirect
github.com/elastic/kbncontent v0.1.4 // indirect
- github.com/elastic/package-spec/v3 v3.5.0 // indirect
+ github.com/elastic/package-spec/v3 v3.5.2 // indirect
github.com/emicklei/go-restful/v3 v3.12.2 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
@@ -133,7 +137,7 @@ require (
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
- github.com/mattn/go-runewidth v0.0.16 // indirect
+ github.com/mattn/go-runewidth v0.0.19 // indirect
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
github.com/mholt/archives v0.1.4 // indirect
github.com/mikelolasagasti/xz v1.0.1 // indirect
@@ -152,9 +156,10 @@ require (
github.com/ncruces/go-strftime v0.1.9 // indirect
github.com/nwaples/rardecode/v2 v2.1.1 // indirect
github.com/oklog/ulid v1.3.1 // indirect
+ github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
github.com/olekukonko/errors v1.1.0 // indirect
- github.com/olekukonko/ll v0.0.9 // indirect
- github.com/olekukonko/tablewriter v1.0.9 // indirect
+ github.com/olekukonko/ll v0.1.2 // indirect
+ github.com/olekukonko/tablewriter v1.1.1 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pierrec/lz4/v4 v4.1.22 // indirect
github.com/pkg/xattr v0.4.10 // indirect
@@ -166,16 +171,15 @@ require (
github.com/prometheus/common v0.66.1 // indirect
github.com/prometheus/procfs v0.16.1 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
- github.com/rivo/uniseg v0.4.7 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shirou/gopsutil/v3 v3.24.5 // indirect
github.com/shoenig/go-m1cpu v0.1.6 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/sorairolake/lzip-go v0.3.8 // indirect
- github.com/spf13/afero v1.11.0 // indirect
+ github.com/spf13/afero v1.15.0 // indirect
github.com/spf13/cast v1.7.0 // indirect
github.com/spf13/cobra v1.10.1 // indirect
- github.com/spf13/pflag v1.0.9 // indirect
+ github.com/spf13/pflag v1.0.10 // indirect
github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/tklauser/go-sysconf v0.3.14 // indirect
@@ -210,7 +214,7 @@ require (
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
go4.org v0.0.0-20230225012048-214862532bf5 // indirect
- golang.org/x/crypto v0.44.0 // indirect
+ golang.org/x/crypto v0.45.0 // indirect
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
golang.org/x/net v0.47.0 // indirect
golang.org/x/oauth2 v0.32.0 // indirect
@@ -229,13 +233,13 @@ require (
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
- helm.sh/helm/v3 v3.19.0 // indirect
+ helm.sh/helm/v3 v3.19.2 // indirect
howett.net/plist v1.0.1 // indirect
- k8s.io/api v0.34.1 // indirect
+ k8s.io/api v0.34.2 // indirect
k8s.io/apiextensions-apiserver v0.34.0 // indirect
- k8s.io/apimachinery v0.34.1 // indirect
- k8s.io/cli-runtime v0.34.1 // indirect
- k8s.io/client-go v0.34.1 // indirect
+ k8s.io/apimachinery v0.34.2 // indirect
+ k8s.io/cli-runtime v0.34.2 // indirect
+ k8s.io/client-go v0.34.2 // indirect
k8s.io/component-base v0.34.0 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
diff --git a/go.sum b/go.sum
index ffc0ab910dc..5fa490910ce 100644
--- a/go.sum
+++ b/go.sum
@@ -119,8 +119,8 @@ github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4p
github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
github.com/charmbracelet/lipgloss v1.1.1-0.20250319133953-166f707985bc h1:nFRtCfZu/zkltd2lsLUPlVNv3ej/Atod9hcdbRZtlys=
github.com/charmbracelet/lipgloss v1.1.1-0.20250319133953-166f707985bc/go.mod h1:aKC/t2arECF6rNOnaKaVU6y4t4ZeHQzqfxedE/VkVhA=
-github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
-github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
+github.com/charmbracelet/x/ansi v0.10.1 h1:rL3Koar5XvX0pHGfovN03f5cxLbCF2YvLeyz7D2jVDQ=
+github.com/charmbracelet/x/ansi v0.10.1/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
@@ -135,6 +135,12 @@ github.com/cli/safeexec v1.0.0/go.mod h1:Z/D4tTN8Vs5gXYHDCbaM1S/anmEDnJb1iW0+EJ5
github.com/cli/shurcooL-graphql v0.0.4 h1:6MogPnQJLjKkaXPyGqPRXOI2qCsQdqNfUY1QSJu2GuY=
github.com/cli/shurcooL-graphql v0.0.4/go.mod h1:3waN4u02FiZivIV+p1y4d0Jo1jc6BViMA73C+sZo2fk=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/clipperhouse/displaywidth v0.3.1 h1:k07iN9gD32177o1y4O1jQMzbLdCrsGJh+blirVYybsk=
+github.com/clipperhouse/displaywidth v0.3.1/go.mod h1:tgLJKKyaDOCadywag3agw4snxS5kYEuYR6Y9+qWDDYM=
+github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
+github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
+github.com/clipperhouse/uax29/v2 v2.2.0 h1:ChwIKnQN3kcZteTXMgb1wztSgaU+ZemkgWdohwgs8tY=
+github.com/clipperhouse/uax29/v2 v2.2.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
@@ -180,8 +186,8 @@ github.com/elastic/kbncontent v0.1.4 h1:GoUkJkqkn2H6iJTnOHcxEqYVVYyjvcebLQVaSR1a
github.com/elastic/kbncontent v0.1.4/go.mod h1:kOPREITK9gSJsiw/WKe7QWSO+PRiZMyEFQCw+CMLAHI=
github.com/elastic/package-registry v1.33.0 h1:4s4lzscmmWEMOgPXrDsSXp+YzNCSMZThUtP1ays4e8g=
github.com/elastic/package-registry v1.33.0/go.mod h1:gPhg2tc7DZBvrSGfsYmBM9VCqT0r7FgRNyQS+XyP5rM=
-github.com/elastic/package-spec/v3 v3.5.0 h1:rvB+lWXXoUkSVx4TaHerV/eO6uN0NH1E5sPW1kW74Lk=
-github.com/elastic/package-spec/v3 v3.5.0/go.mod h1:dH//Q1geKx3fxC0lwPrVmnjN6RMqyDf5tnsw7trwqWE=
+github.com/elastic/package-spec/v3 v3.5.2 h1:5U+3UyJ8GvbIkeazOTUtprlmhkk8Syh0NAdzy55uQLQ=
+github.com/elastic/package-spec/v3 v3.5.2/go.mod h1:Wj829iTa2lFVCz0qrXJcx9bVLPYMrYb8guQeYwZPNnA=
github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -409,8 +415,8 @@ github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stg
github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
+github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
@@ -463,12 +469,14 @@ github.com/nwaples/rardecode/v2 v2.1.1 h1:OJaYalXdliBUXPmC8CZGQ7oZDxzX1/5mQmgn0/
github.com/nwaples/rardecode/v2 v2.1.1/go.mod h1:7uz379lSxPe6j9nvzxUZ+n7mnJNgjsRNb6IbvGVHRmw=
github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc=
+github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6/go.mod h1:rEKTHC9roVVicUIfZK7DYrdIoM0EOr8mK1Hj5s3JjH0=
github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
-github.com/olekukonko/ll v0.0.9 h1:Y+1YqDfVkqMWuEQMclsF9HUR5+a82+dxJuL1HHSRpxI=
-github.com/olekukonko/ll v0.0.9/go.mod h1:En+sEW0JNETl26+K8eZ6/W4UQ7CYSrrgg/EdIYT2H8g=
-github.com/olekukonko/tablewriter v1.0.9 h1:XGwRsYLC2bY7bNd93Dk51bcPZksWZmLYuaTHR0FqfL8=
-github.com/olekukonko/tablewriter v1.0.9/go.mod h1:5c+EBPeSqvXnLLgkm9isDdzR3wjfBkHR9Nhfp3NWrzo=
+github.com/olekukonko/ll v0.1.2 h1:lkg/k/9mlsy0SxO5aC+WEpbdT5K83ddnNhAepz7TQc0=
+github.com/olekukonko/ll v0.1.2/go.mod h1:b52bVQRRPObe+yyBl0TxNfhesL0nedD4Cht0/zx55Ew=
+github.com/olekukonko/tablewriter v1.1.1 h1:b3reP6GCfrHwmKkYwNRFh2rxidGHcT6cgxj/sHiDDx0=
+github.com/olekukonko/tablewriter v1.1.1/go.mod h1:De/bIcTF+gpBDB3Alv3fEsZA+9unTsSzAg/ZGADCtn4=
github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
@@ -505,7 +513,6 @@ github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzM
github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -529,14 +536,15 @@ github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp
github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
github.com/sorairolake/lzip-go v0.3.8 h1:j5Q2313INdTA80ureWYRhX+1K78mUXfMoPZCw/ivWik=
github.com/sorairolake/lzip-go v0.3.8/go.mod h1:JcBqGMV0frlxwrsE9sMWXDjqn3EeVf0/54YPsw66qkU=
-github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
-github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
-github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -654,8 +662,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -899,8 +907,8 @@ gotest.tools/gotestsum v1.13.0 h1:+Lh454O9mu9AMG1APV4o0y7oDYKyik/3kBOiCqiEpRo=
gotest.tools/gotestsum v1.13.0/go.mod h1:7f0NS5hFb0dWr4NtcsAsF0y1kzjEFfAil0HiBQJE03Q=
gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-helm.sh/helm/v3 v3.19.0 h1:krVyCGa8fa/wzTZgqw0DUiXuRT5BPdeqE/sQXujQ22k=
-helm.sh/helm/v3 v3.19.0/go.mod h1:Lk/SfzN0w3a3C3o+TdAKrLwJ0wcZ//t1/SDXAvfgDdc=
+helm.sh/helm/v3 v3.19.2 h1:psQjaM8aIWrSVEly6PgYtLu/y6MRSmok4ERiGhZmtUY=
+helm.sh/helm/v3 v3.19.2/go.mod h1:gX10tB5ErM+8fr7bglUUS/UfTOO8UUTYWIBH1IYNnpE=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -908,16 +916,16 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
-k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
+k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY=
+k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw=
k8s.io/apiextensions-apiserver v0.34.0 h1:B3hiB32jV7BcyKcMU5fDaDxk882YrJ1KU+ZSkA9Qxoc=
k8s.io/apiextensions-apiserver v0.34.0/go.mod h1:hLI4GxE1BDBy9adJKxUxCEHBGZtGfIg98Q+JmTD7+g0=
-k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
-k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
-k8s.io/cli-runtime v0.34.1 h1:btlgAgTrYd4sk8vJTRG6zVtqBKt9ZMDeQZo2PIzbL7M=
-k8s.io/cli-runtime v0.34.1/go.mod h1:aVA65c+f0MZiMUPbseU/M9l1Wo2byeaGwUuQEQVVveE=
-k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
-k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
+k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4=
+k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
+k8s.io/cli-runtime v0.34.2 h1:cct1GEuWc3IyVT8MSCoIWzRGw9HJ/C5rgP32H60H6aE=
+k8s.io/cli-runtime v0.34.2/go.mod h1:X13tsrYexYUCIq8MarCBy8lrm0k0weFPTpcaNo7lms4=
+k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M=
+k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE=
k8s.io/component-base v0.34.0 h1:bS8Ua3zlJzapklsB1dZgjEJuJEeHjj8yTu1gxE2zQX8=
k8s.io/component-base v0.34.0/go.mod h1:RSCqUdvIjjrEm81epPcjQ/DS+49fADvGSCkIP3IC6vg=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
diff --git a/packages/akamai/changelog.yml b/packages/akamai/changelog.yml
index 192ea5ee0ef..1d812e71aae 100644
--- a/packages/akamai/changelog.yml
+++ b/packages/akamai/changelog.yml
@@ -1,4 +1,15 @@
# newer versions go on top
+- version: "3.0.0"
+ changes:
+ - description: |
+ Migrated SIEM data stream from HTTPJSON to CEL.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15713
+ - description: |
+ Credentials will likely need to be re-configured since the integration has been
+ updated to use the new CEL input.
+ type: breaking-change
+ link: https://github.com/elastic/integrations/pull/15713
- version: "2.28.2"
changes:
- description: Remove empty HTTP message headers placeholder.
diff --git a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-config.yml b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-cel.log-config.yml
similarity index 100%
rename from packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-config.yml
rename to packages/akamai/data_stream/siem/_dev/test/pipeline/test-cel.log-config.yml
diff --git a/packages/akamai/data_stream/siem/_dev/test/system/test-emulator-config.yml b/packages/akamai/data_stream/siem/_dev/test/system/test-emulator-config.yml
index abb4756aaee..f8a7cdf1165 100644
--- a/packages/akamai/data_stream/siem/_dev/test/system/test-emulator-config.yml
+++ b/packages/akamai/data_stream/siem/_dev/test/system/test-emulator-config.yml
@@ -1,4 +1,4 @@
-input: httpjson
+input: cel
service: akamai-siem-emulator
vars: ~
data_stream:
@@ -12,10 +12,9 @@ data_stream:
access_token: at-6b8c7217-8748-490d-b0f5-bfeb72b2e7cd
config_ids: 123456
event_limit: 20
+ # The akamai-siem emulator does not limit the number of events or pages returned, so we set a large number of max_executions.
+ max_executions: 50000
enable_request_tracer: true
assert:
# 12 hours at 5 minutes between events.
hit_count: 144 # = 12 * 60/5
-skip:
- reason: "The fleet health status changes to degraded when the HTTPJSON template's value evaluation comes up empty, which leads to system test failures but does not interrupt the data flow."
- link: https://github.com/elastic/beats/issues/45664
diff --git a/packages/akamai/data_stream/siem/agent/stream/cel.yml.hbs b/packages/akamai/data_stream/siem/agent/stream/cel.yml.hbs
new file mode 100644
index 00000000000..9326695f26c
--- /dev/null
+++ b/packages/akamai/data_stream/siem/agent/stream/cel.yml.hbs
@@ -0,0 +1,165 @@
+config_version: 2
+interval: {{interval}}
+resource:
+ url: {{api_host}}/siem/v1/configs/{{config_ids}}
+ {{#if ssl}}
+ ssl: {{ssl}}
+ {{/if}}
+ {{#if http_client_timeout}}
+ timeout: {{http_client_timeout}}
+ {{/if}}
+ {{#if proxy_url }}
+ proxy_url: {{proxy_url}}
+ {{/if}}
+ tracer:
+ enabled: {{enable_request_tracer}}
+ filename: "../../logs/cel/http-request-trace-*.ndjson"
+ maxbackups: 5
+{{#if max_executions}}
+max_executions: {{max_executions}}
+{{/if}}
+
+state:
+ client_token: {{client_token}}
+ access_token: {{access_token}}
+ client_secret: {{client_secret}}
+ initial_interval: {{initial_interval}}
+ event_limit: {{event_limit}}
+
+redact:
+ fields:
+ - client_secret
+ - access_token
+ - client_token
+
+program: |-
+ state.with(
+ (
+ state.?cursor.recovery_mode.orValue(false) ?
+ {
+ "from": int(now - duration("12h")),
+ "to": int(now - duration("1m")),
+ }
+ : state.?cursor.last_offset.hasValue() ?
+ {
+ "offset": state.cursor.last_offset,
+ }
+ :
+ {
+ "from": max(int(now - duration(state.initial_interval)), int(now - duration("12h"))),
+ "to": int(now - duration("1m")),
+ }
+ ).as(params,
+ (
+ state.url.trim_right("/") + "?" + {
+ "limit": [string(state.event_limit)],
+ ?"from": params.?from.optMap(v, [string(v)]),
+ ?"to": params.?to.optMap(v, [string(v)]),
+ ?"offset": params.?offset.optMap(v, [string(v)]),
+ }.format_query()
+ ).as(request_url,
+ now.format("20060102T15:04:05-0700").as(timestamp,
+ uuid().as(nonce,
+ sprintf(
+ "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;",
+ [state.client_token, state.access_token, timestamp, nonce]
+ ).as(sig_base,
+ base64(hmac(timestamp, "sha256", bytes(state.client_secret))).as(sig_key,
+ request_url.parse_url().as(u,
+ sprintf(
+ "GET\t%s\t%s\t%s?%s\t\t\t%s",
+ [
+ u.Scheme,
+ u.Host,
+ u.Path,
+ u.RawQuery,
+ sig_base,
+ ]
+ ).as(to_sign,
+ base64(hmac(to_sign, "sha256", bytes(sig_key))).as(signature,
+ sig_base + "signature=" + signature
+ )
+ )
+ )
+ )
+ ).as(auth_header,
+ request(
+ "GET",
+ request_url
+ ).with(
+ {
+ "Header": {
+ "Authorization": [auth_header],
+ },
+ }
+ ).do_request().as(resp,
+ (resp.StatusCode == 200) ?
+ string(resp.Body).split("\n").filter(line, line != "").as(lines,
+ {
+ "events": lines.map(line, {"message": line}),
+ "cursor": {
+ ?"last_offset": (lines.size() > 0) ?
+ lines[lines.size() - 1].decode_json().as(lastEvent,
+ (has(lastEvent.offset) && lastEvent.offset != "") ?
+ optional.of(lastEvent.offset)
+ :
+ optional.none()
+ )
+ :
+ optional.none(),
+ "recovery_mode": false,
+ },
+ "want_more": (lines.size() > 0) ?
+ lines[lines.size() - 1].decode_json().as(lastEvent,
+ has(lastEvent.offset) && lastEvent.offset != ""
+ )
+ :
+ false,
+ }
+ )
+ : (resp.StatusCode == 416) ?
+ {
+ "events": [
+ {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET " + request_url + (
+ (size(resp.Body) != 0) ?
+ string(resp.Body)
+ :
+ string(resp.Status) + " (" + string(resp.StatusCode) + ")"
+ ),
+ },
+ }
+ ],
+ "cursor": state.cursor.drop("last_offset").with(
+ {
+ "recovery_mode": true,
+ }
+ ),
+ "want_more": true,
+ }
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET " + request_url + (
+ (size(resp.Body) != 0) ?
+ string(resp.Body)
+ :
+ string(resp.Status) + " (" + string(resp.StatusCode) + ")"
+ ),
+ },
+ },
+ "want_more": false,
+ }
+ )
+ )
+ )
+ )
+ )
+ )
+ )
diff --git a/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs b/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs
deleted file mode 100644
index 7701e19aeaa..00000000000
--- a/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs
+++ /dev/null
@@ -1,103 +0,0 @@
-config_version: "2"
-interval: {{interval}}
-request.method: "GET"
-request.url: "{{api_host}}/siem/v1/configs/{{config_ids}}"
-{{#if ssl}}
-request.ssl: {{ssl}}
-{{/if}}
-{{#if http_client_timeout}}
-request.timeout: {{http_client_timeout}}
-{{/if}}
-{{#if proxy_url }}
-request.proxy_url: {{proxy_url}}
-{{/if}}
-{{#if enable_request_tracer}}
-request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
-request.tracer.maxbackups: 5
-{{/if}}
-request.transforms:
- - set:
- target: url.params.from
- # On the initial request (no cursor), this calculates the start time.
- # It takes the more recent of two values: the user-defined 'initial_interval'
- # or the API's maximum 12-hour look-back, preventing API errors.
- value: >-
- [[- if not (index .cursor "last_offset") -]]
- [[- $initialTime := (now (parseDuration "-{{initial_interval}}")).Unix -]]
- [[- $maxLookbackTime := (now (parseDuration "-12h")).Unix -]]
- [[- max $maxLookbackTime $initialTime -]]
- [[- end -]]
- - set:
- target: url.params.to
- value: >-
- [[ if not (index .cursor "last_offset") ]][[ (now).Unix ]][[ end ]]
- - set:
- target: url.params.offset
- value: >-
- [[ if (index .cursor "last_offset") ]][[ .cursor.last_offset ]][[ end ]]
-{{#if event_limit}}
- - set:
- target: url.params.limit
- value: '{{event_limit}}'
-{{/if}}
- - set:
- target: header.XTimestamp
- value: '[[ formatDate (now) "20060102T15:04:05-0700" ]]'
- - set:
- target: header.XSignatureBase
- value: '[[ sprintf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "{{client_token}}" "{{access_token}}" (.header.Get "XTimestamp") uuid ]]'
- - set:
- target: header.XSignatureKey
- value: '[[ hmacBase64 "sha256" "{{client_secret}}" (.header.Get "XTimestamp") ]]'
- - set:
- target: header.XSignature
- value: '[[ hmacBase64 "sha256" (.header.Get "XSignatureKey") "GET\t" .url.Scheme "\t" .url.Host "\t" .url.Path "?" .url.RawQuery "\t\t\t" (.header.Get "XSignatureBase") ]]'
- - set:
- target: header.Authorization
- value: '[[ sprintf "%ssignature=%s" (.header.Get "XSignatureBase") (.header.Get "XSignature") ]]'
- - delete:
- target: header.XSignature
- - delete:
- target: header.XSignatureKey
- - delete:
- target: header.XSignatureBase
- - delete:
- target: header.XTimestamp
-
-response.decode_as: application/x-ndjson
-
-response.pagination:
- - set:
- target: url.params.offset
- # This template evaluates to an empty string when the response contains no events
- # as indicated by the 'total' field in the ResponseContext. This stops pagination.
- value: '[[ if not (eq (toInt .last_event.total) 0) ]][[ .last_event.offset ]][[ end ]]'
- fail_on_template_error: true
- - delete:
- target: url.params.from
- - delete:
- target: url.params.to
-
-cursor:
- last_offset:
- value: '[[ .last_event.offset ]]'
-
-{{#if tags.length}}
-tags:
-{{else if preserve_original_event}}
-tags:
-{{/if}}
-{{#each tags as |tag i|}}
- - {{tag}}
-{{/each}}
-{{#if preserve_original_event}}
- - preserve_original_event
-{{/if}}
-{{#contains "forwarded" tags}}
-publisher_pipeline.disable_host: true
-{{/contains}}
-
-{{#if processors}}
-processors:
-{{processors}}
-{{/if}}
\ No newline at end of file
diff --git a/packages/akamai/data_stream/siem/manifest.yml b/packages/akamai/data_stream/siem/manifest.yml
index 29ddf08d435..943b346518e 100644
--- a/packages/akamai/data_stream/siem/manifest.yml
+++ b/packages/akamai/data_stream/siem/manifest.yml
@@ -1,8 +1,8 @@
type: logs
title: Akamai SIEM Logs
streams:
- - input: httpjson
- template_path: httpjson.yml.hbs
+ - input: cel
+ template_path: cel.yml.hbs
title: Akamai SIEM logs
description: Collect Akamai logs via the SIEM API
vars:
@@ -76,6 +76,15 @@ streams:
show_user: false
title: Event Limit
description: Defines the approximate maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is 10000 and the maximum limit available is 600000. Listing an unlimited number of logs isn't possible. Expect requests to return a slightly higher number of security events than you set in the limit parameter, because data is stored in different buckets.
+ default: 10000
+ - name: max_executions
+ type: integer
+ title: Maximum Pages Per Interval
+ description: Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.
+ multi: false
+ required: false
+ show_user: false
+ default: 5000
- name: proxy_url
type: text
title: Proxy URL
diff --git a/packages/akamai/manifest.yml b/packages/akamai/manifest.yml
index 21b846dead1..403c1fba35d 100644
--- a/packages/akamai/manifest.yml
+++ b/packages/akamai/manifest.yml
@@ -1,13 +1,13 @@
name: akamai
title: Akamai
-version: "2.28.2"
+version: "3.0.0"
description: Collect logs from Akamai with Elastic Agent.
type: integration
format_version: "3.0.2"
categories: [security, cdn_security]
conditions:
kibana:
- version: "^8.13.0 || ^9.0.0"
+ version: "^8.18.0 || ^9.0.0"
icons:
- src: /img/akamai_logo.svg
title: Akamai
@@ -18,7 +18,7 @@ policy_templates:
title: Akamai logs
description: Collect SIEM logs from Akamai
inputs:
- - type: httpjson
+ - type: cel
title: "Collect Akamai SIEM logs via API"
description: "Collecting SIEM logs from Akamai via API"
- type: gcs
diff --git a/packages/aws/_dev/build/docs/guardduty.md b/packages/aws/_dev/build/docs/guardduty.md
index 2ca0caf2e48..e6832426289 100644
--- a/packages/aws/_dev/build/docs/guardduty.md
+++ b/packages/aws/_dev/build/docs/guardduty.md
@@ -12,7 +12,10 @@ The Amazon GuardDuty integration can be used in three different modes to collect
## What do I need to use this integration?
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
-**Note**: It is recommended to use AWS SQS for Amazon GuardDuty.
+
+**Note**:
+ - It is recommended to use AWS SQS for Amazon GuardDuty.
+ - When using the Amazon GuardDuty API to collect logs, data duplication can occur due to limitations with the current input.
### Agentless Enabled Integration
diff --git a/packages/aws/docs/guardduty.md b/packages/aws/docs/guardduty.md
index a622d12d518..86380b58e8c 100644
--- a/packages/aws/docs/guardduty.md
+++ b/packages/aws/docs/guardduty.md
@@ -12,7 +12,10 @@ The Amazon GuardDuty integration can be used in three different modes to collect
## What do I need to use this integration?
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
-**Note**: It is recommended to use AWS SQS for Amazon GuardDuty.
+
+**Note**:
+ - It is recommended to use AWS SQS for Amazon GuardDuty.
+ - When using the Amazon GuardDuty API to collect logs, data duplication can occur due to limitations with the current input.
### Agentless Enabled Integration
diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml
index ead3b3487f6..522aa706e09 100644
--- a/packages/aws/manifest.yml
+++ b/packages/aws/manifest.yml
@@ -11,6 +11,12 @@ categories:
- observability
# Added security category as AWS integration collects security-relevant data like CloudTrail logs, GuardDuty findings, and other security monitoring data
- security
+ # Added containers category to match policy template categories (ECS metrics template references containers subcategory)
+ - containers
+ # Added network category to match policy template categories (VPC Flow, Transit Gateway, and NAT Gateway templates reference network subcategory)
+ - network
+ # Added datastore category to match policy template categories (DynamoDB, RDS, Redshift, and other database templates reference datastore subcategory)
+ - datastore
conditions:
elastic:
subscription: basic
diff --git a/packages/aws_cloudtrail_otel/LICENSE.txt b/packages/aws_cloudtrail_otel/LICENSE.txt
new file mode 100644
index 00000000000..809108b857f
--- /dev/null
+++ b/packages/aws_cloudtrail_otel/LICENSE.txt
@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
diff --git a/packages/aws_cloudtrail_otel/changelog.yml b/packages/aws_cloudtrail_otel/changelog.yml
new file mode 100644
index 00000000000..3c2a5ceb27a
--- /dev/null
+++ b/packages/aws_cloudtrail_otel/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+ changes:
+ - description: Initial draft of the AWS CloudTrail Logs OpenTelemetry Assets package
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15644
diff --git a/packages/aws_cloudtrail_otel/docs/README.md b/packages/aws_cloudtrail_otel/docs/README.md
new file mode 100644
index 00000000000..b629fa647bc
--- /dev/null
+++ b/packages/aws_cloudtrail_otel/docs/README.md
@@ -0,0 +1,25 @@
+# AWS CloudTrail Logs OpenTelemetry Assets
+
+## Overview
+
+The AWS CloudTrail OpenTelemetry Assets allow you to monitor [Amazon CloudTrail logs](https://docs.aws.amazon.com/cloudtrail/). With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made by using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services.
+
+The [EDOT Cloud Forwarder for AWS](https://www.elastic.co/docs/reference/opentelemetry/edot-cloud-forwarder/aws) enables you to collect **CloudTrail Logs** from Amazon S3 and forward them directly into Elastic Observability. Use this integration to visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference logs when troubleshooting an issue.
+
+## What do I need to use this integration?
+
+You need an Elastic Observability project (**Serverless only**) for storing, analyzing, and visualizing your CloudTrail logs.
+
+From the AWS side, to collect CloudTrail logs, you need:
+
+- An S3 bucket for storing logs
+- CloudTrail trail configured with S3 bucket as log storage destination
+
+## How do I deploy this integration?
+
+For step-by-step instructions on how to set up an EDOT Cloud Forwarder for AWS, see the
+[EDOT Cloud Forwarder for AWS](https://www.elastic.co/docs/reference/opentelemetry/edot-cloud-forwarder/aws) guide.
+
+## Logs Reference
+
+For a complete list of all available logs and their detailed descriptions, refer to the [OpenTelemetry AWS Logs encoding extension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/encoding/awslogsencodingextension#cloudtrail-log-record-fields)
\ No newline at end of file
diff --git a/packages/aws_cloudtrail_otel/img/dashboard.png b/packages/aws_cloudtrail_otel/img/dashboard.png
new file mode 100644
index 00000000000..a09ac68bd2b
Binary files /dev/null and b/packages/aws_cloudtrail_otel/img/dashboard.png differ
diff --git a/packages/aws_cloudtrail_otel/img/dashboard_continued.png b/packages/aws_cloudtrail_otel/img/dashboard_continued.png
new file mode 100644
index 00000000000..f2f802a05b2
Binary files /dev/null and b/packages/aws_cloudtrail_otel/img/dashboard_continued.png differ
diff --git a/packages/aws_cloudtrail_otel/img/logo_cloudtrail_otel.svg b/packages/aws_cloudtrail_otel/img/logo_cloudtrail_otel.svg
new file mode 100644
index 00000000000..93922ecbbfb
--- /dev/null
+++ b/packages/aws_cloudtrail_otel/img/logo_cloudtrail_otel.svg
@@ -0,0 +1,26 @@
+
\ No newline at end of file
diff --git a/packages/aws_cloudtrail_otel/kibana/dashboard/aws_cloudtrail_otel-9bfbe31c-e775-4ee4-9e34-a449e603d109.json b/packages/aws_cloudtrail_otel/kibana/dashboard/aws_cloudtrail_otel-9bfbe31c-e775-4ee4-9e34-a449e603d109.json
new file mode 100644
index 00000000000..ff685366036
--- /dev/null
+++ b/packages/aws_cloudtrail_otel/kibana/dashboard/aws_cloudtrail_otel-9bfbe31c-e775-4ee4-9e34-a449e603d109.json
@@ -0,0 +1,1262 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {},
+ "showApplySelections": false
+ },
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "aws.cloudtrail.otel"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "aws.cloudtrail.otel"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "content": "## AWS CloudTrail Logs Overview\n\nUse this dashboard to visualize CloudTrail Logs.\n\nYou could use this data to:\n- **Visualize CloudTrail activity logs** to quickly identify patterns in API calls and user actions.\n- **Monitor account activity** across AWS services for auditing and compliance purposes.\n- **Detect unusual or unauthorized behavior** by filtering and analyzing access patterns.\n- **Track resource changes** to understand who made modifications and when.\n- **Troubleshoot operational issues** by correlating CloudTrail events with other system metrics.\n- **Generate reports and insights** for security reviews or compliance audits"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "8fe0fc68-740c-47e6-83f1-5b972fb53046",
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "8fe0fc68-740c-47e6-83f1-5b972fb53046",
+ "type": "DASHBOARD_MARKDOWN"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0": {
+ "allowHidden": false,
+ "allowNoIndex": false,
+ "fieldFormats": {},
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "managed": false,
+ "name": "logs*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs*",
+ "type": "esql"
+ }
+ },
+ "datasourceStates": {
+ "textBased": {
+ "layers": {
+ "dfe00752-2fd3-4716-95e7-c6187da3dfa6": {
+ "columns": [
+ {
+ "columnId": "total",
+ "customLabel": false,
+ "fieldName": "total",
+ "inMetricDimension": true,
+ "label": "total",
+ "meta": {
+ "esType": "long",
+ "type": "number"
+ }
+ },
+ {
+ "columnId": "outcome",
+ "customLabel": true,
+ "fieldName": "time_bucket",
+ "label": "@timestamp",
+ "meta": {
+ "esType": "date",
+ "params": {
+ "id": "date"
+ },
+ "sourceParams": {
+ "appliedTimeRange": {
+ "from": "2025-10-06T21:00:00.000Z",
+ "to": "2025-10-14T09:22:02.010Z"
+ },
+ "indexPattern": "logs*",
+ "params": {},
+ "sourceField": "time_bucket"
+ },
+ "type": "date"
+ }
+ },
+ {
+ "columnId": "58715393-c8b0-445d-ac9b-e65dc10a994a",
+ "fieldName": "outcome",
+ "label": "outcome",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "outcome"
+ },
+ "type": "string"
+ }
+ }
+ ],
+ "index": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "query": {
+ "esql": "FROM logs*\n| EVAL outcome = CASE(aws.error.code IS NOT NULL, \"Fail\", \"Success\")\n| KEEP outcome, @timestamp\n| STATS total = COUNT() BY outcome, time_bucket = BUCKET(@timestamp, 50, ?_tstart, ?_tend)"
+ },
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "name": "textBasedLanguages-datasource-layer-dfe00752-2fd3-4716-95e7-c6187da3dfa6",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "esql": "FROM logs*\n| EVAL outcome = CASE(aws.error.code IS NOT NULL, \"Fail\", \"Success\")\n| KEEP outcome, @timestamp\n| STATS total = COUNT() BY outcome, time_bucket = BUCKET(@timestamp, 50, ?_tstart, ?_tend)"
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "total"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "default",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rules": [
+ {
+ "type": "other"
+ }
+ ],
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "dfe00752-2fd3-4716-95e7-c6187da3dfa6",
+ "layerType": "data",
+ "seriesType": "area",
+ "splitAccessor": "58715393-c8b0-445d-ac9b-e65dc10a994a",
+ "xAccessor": "outcome"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yTitle": "Events"
+ }
+ },
+ "title": "Treemap",
+ "type": "lens",
+ "version": 1,
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "esql": "FROM logs*\n| EVAL outcome = CASE(aws.error.code IS NOT NULL, \"Fail\", \"Success\")\n| KEEP outcome, @timestamp\n| STATS total = COUNT() BY outcome, time_bucket = BUCKET(@timestamp, 50, ?_tstart, ?_tend)"
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "title": "Event outcome over time"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "d5c3ea68-52bf-43ac-a59b-61f73682a233",
+ "w": 24,
+ "x": 24,
+ "y": 0
+ },
+ "panelIndex": "d5c3ea68-52bf-43ac-a59b-61f73682a233",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0": {
+ "allowHidden": false,
+ "allowNoIndex": false,
+ "fieldFormats": {},
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "managed": false,
+ "name": "logs*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs*",
+ "type": "esql"
+ }
+ },
+ "datasourceStates": {
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "timeField": "@timestamp",
+ "title": "logs*"
+ }
+ ],
+ "layers": {
+ "7f82f10e-3ef6-40a5-bff5-e46ec8416e09": {
+ "columns": [
+ {
+ "columnId": "total",
+ "customLabel": false,
+ "fieldName": "total",
+ "inMetricDimension": true,
+ "label": "total",
+ "meta": {
+ "esType": "long",
+ "type": "number"
+ }
+ },
+ {
+ "columnId": "rpc.service",
+ "customLabel": false,
+ "fieldName": "rpc.service",
+ "label": "rpc.service",
+ "meta": {
+ "esType": "keyword",
+ "type": "string"
+ }
+ },
+ {
+ "columnId": "rpc.method",
+ "customLabel": false,
+ "fieldName": "rpc.method",
+ "label": "rpc.method",
+ "meta": {
+ "esType": "keyword",
+ "type": "string"
+ }
+ }
+ ],
+ "index": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "query": {
+ "esql": "FROM logs*\n| WHERE rpc.service IS NOT NULL\n| STATS total = COUNT() BY rpc.service, rpc.method\n| KEEP total, rpc.service, rpc.method\n| SORT total DESC"
+ },
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "needsRefresh": false,
+ "query": {
+ "esql": "FROM logs*\n| WHERE rpc.service IS NOT NULL\n| STATS total = COUNT() BY rpc.service, rpc.method\n| KEEP total, rpc.service, rpc.method\n| SORT total DESC"
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "default",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rules": [
+ {
+ "type": "other"
+ }
+ ],
+ "touched": false
+ }
+ ]
+ },
+ "emptySizeRatio": 0.3,
+ "layerId": "7f82f10e-3ef6-40a5-bff5-e46ec8416e09",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "legendMaxLines": 2,
+ "legendSize": "xlarge",
+ "metrics": [
+ "total"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "rpc.service",
+ "rpc.method"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "Bar vertical stacked",
+ "version": 1,
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "esql": "FROM logs*\n| WHERE rpc.service IS NOT NULL\n| STATS total = COUNT() BY rpc.service, rpc.method\n| KEEP total, rpc.service, rpc.method\n| SORT total DESC"
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "title": "Logs by service and action"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "9fffcc40-0ed5-44b6-8d48-0c6d13dfdf66",
+ "w": 24,
+ "x": 0,
+ "y": 15
+ },
+ "panelIndex": "9fffcc40-0ed5-44b6-8d48-0c6d13dfdf66",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0": {
+ "allowHidden": false,
+ "allowNoIndex": false,
+ "fieldFormats": {},
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "managed": false,
+ "name": "logs*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs*",
+ "type": "esql"
+ }
+ },
+ "datasourceStates": {
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "timeField": "@timestamp",
+ "title": "logs*"
+ }
+ ],
+ "layers": {
+ "d76ae897-feba-4272-befd-650f9e9945d8": {
+ "columns": [
+ {
+ "columnId": "total",
+ "customLabel": false,
+ "fieldName": "total",
+ "inMetricDimension": true,
+ "label": "total",
+ "meta": {
+ "esType": "long",
+ "type": "number"
+ }
+ },
+ {
+ "columnId": "agent",
+ "customLabel": false,
+ "fieldName": "agent",
+ "label": "agent",
+ "meta": {
+ "esType": "keyword",
+ "type": "string"
+ }
+ }
+ ],
+ "index": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "query": {
+ "esql": "FROM logs*\n| WHERE user_agent.original IS NOT NULL\n| EVAL agent = REPLACE(user_agent.original, \"^\\\\[|\\\\/.*$|\\\\ -\\\\ .*$\", \"\") // Remove leading square bracket, and everything that is after first slash or hyphen (with spaces) including it\n| STATS total = COUNT() by agent\n| KEEP total, agent\n| SORT total DESC"
+ },
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "needsRefresh": false,
+ "query": {
+ "esql": "FROM logs*\n| WHERE user_agent.original IS NOT NULL\n| EVAL agent = REPLACE(user_agent.original, \"^\\\\[|\\\\/.*$|\\\\ -\\\\ .*$\", \"\") // Remove leading square bracket, and everything that is after first slash or hyphen (with spaces) including it\n| STATS total = COUNT() by agent\n| KEEP total, agent\n| SORT total DESC"
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "default",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rules": [
+ {
+ "type": "other"
+ }
+ ],
+ "touched": false
+ }
+ ]
+ },
+ "emptySizeRatio": 0.3,
+ "layerId": "d76ae897-feba-4272-befd-650f9e9945d8",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 2,
+ "legendSize": "xlarge",
+ "metrics": [
+ "total"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "agent"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "Treemap",
+ "version": 1,
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "esql": "FROM logs*\n| WHERE user_agent.original IS NOT NULL\n| EVAL agent = REPLACE(user_agent.original, \"^\\\\[|\\\\/.*$|\\\\ -\\\\ .*$\", \"\") // Remove leading square bracket, and everything that is after first slash or hyphen (with spaces) including it\n| STATS total = COUNT() by agent\n| KEEP total, agent\n| SORT total DESC"
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "title": "Logs by user agent"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "eaf1810e-1ded-4b44-868f-f55de4b6b27f",
+ "w": 24,
+ "x": 24,
+ "y": 15
+ },
+ "panelIndex": "eaf1810e-1ded-4b44-868f-f55de4b6b27f",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0": {
+ "allowHidden": false,
+ "allowNoIndex": false,
+ "fieldFormats": {},
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "managed": false,
+ "name": "logs*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs*",
+ "type": "esql"
+ }
+ },
+ "datasourceStates": {
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "timeField": "@timestamp",
+ "title": "logs*"
+ }
+ ],
+ "layers": {
+ "b7a2381d-9d37-4b2e-9884-11200c1aa274": {
+ "columns": [
+ {
+ "columnId": "total",
+ "customLabel": false,
+ "fieldName": "total",
+ "inMetricDimension": true,
+ "label": "total",
+ "meta": {
+ "esType": "long",
+ "type": "number"
+ }
+ },
+ {
+ "columnId": "rpc.system",
+ "customLabel": false,
+ "fieldName": "rpc.system",
+ "label": "rpc.system",
+ "meta": {
+ "esType": "keyword",
+ "type": "string"
+ }
+ }
+ ],
+ "index": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "query": {
+ "esql": "FROM logs*\n| KEEP rpc.system\n| STATS total = COUNT() by rpc.system\n| SORT total DESC"
+ },
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "name": "textBasedLanguages-datasource-layer-b7a2381d-9d37-4b2e-9884-11200c1aa274",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "esql": "FROM logs*\n| KEEP rpc.system\n| STATS total = COUNT() by rpc.system\n| SORT total DESC"
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "default",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rules": [
+ {
+ "type": "other"
+ }
+ ],
+ "touched": false
+ }
+ ]
+ },
+ "emptySizeRatio": 0.3,
+ "layerId": "b7a2381d-9d37-4b2e-9884-11200c1aa274",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendSize": "xlarge",
+ "metrics": [
+ "total"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "rpc.system"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "Bar vertical stacked",
+ "type": "lens",
+ "version": 1,
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "esql": "FROM logs*\n| KEEP rpc.system\n| STATS total = COUNT() by rpc.system\n| SORT total DESC"
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "title": "Logs by event type"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "9b6cc6b5-a591-498b-ad7a-aa90f5cd9774",
+ "w": 24,
+ "x": 0,
+ "y": 30
+ },
+ "panelIndex": "9b6cc6b5-a591-498b-ad7a-aa90f5cd9774",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0": {
+ "allowHidden": false,
+ "allowNoIndex": false,
+ "fieldFormats": {},
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "managed": false,
+ "name": "logs*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs*",
+ "type": "esql"
+ }
+ },
+ "datasourceStates": {
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "timeField": "@timestamp",
+ "title": "logs*"
+ }
+ ],
+ "layers": {
+ "906d7cc3-10d5-4591-9bab-953eb302ef27": {
+ "columns": [
+ {
+ "columnId": "total",
+ "customLabel": false,
+ "fieldName": "total",
+ "inMetricDimension": true,
+ "label": "total",
+ "meta": {
+ "esType": "long",
+ "type": "number"
+ }
+ },
+ {
+ "columnId": "aws.error.code",
+ "customLabel": false,
+ "fieldName": "aws.error.code",
+ "label": "aws.error.code",
+ "meta": {
+ "esType": "keyword",
+ "type": "string"
+ }
+ }
+ ],
+ "index": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "query": {
+ "esql": "FROM logs*\n| WHERE aws.error.code IS NOT NULL\n| KEEP aws.error.code\n| STATS total = COUNT() BY aws.error.code\n| SORT total DESC"
+ },
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "name": "textBasedLanguages-datasource-layer-906d7cc3-10d5-4591-9bab-953eb302ef27",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "esql": "FROM logs*\n| WHERE aws.error.code IS NOT NULL\n| KEEP aws.error.code\n| STATS total = COUNT() BY aws.error.code\n| SORT total DESC"
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "default",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rules": [
+ {
+ "type": "other"
+ }
+ ],
+ "touched": false
+ }
+ ]
+ },
+ "emptySizeRatio": 0.3,
+ "layerId": "906d7cc3-10d5-4591-9bab-953eb302ef27",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 2,
+ "legendSize": "xlarge",
+ "metrics": [
+ "total"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "aws.error.code"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "Bar vertical stacked",
+ "type": "lens",
+ "version": 1,
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "esql": "FROM logs*\n| WHERE aws.error.code IS NOT NULL\n| KEEP aws.error.code\n| STATS total = COUNT() BY aws.error.code\n| SORT total DESC"
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "title": "Failed operations by error code"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "11f19662-21ff-4014-9c23-2bd13efeacc7",
+ "w": 24,
+ "x": 24,
+ "y": 30
+ },
+ "panelIndex": "11f19662-21ff-4014-9c23-2bd13efeacc7",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0": {
+ "allowHidden": false,
+ "allowNoIndex": false,
+ "fieldFormats": {},
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "managed": false,
+ "name": "logs*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs*",
+ "type": "esql"
+ }
+ },
+ "datasourceStates": {
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "timeField": "@timestamp",
+ "title": "logs*"
+ }
+ ],
+ "layers": {
+ "25487c5b-c5ab-4f0f-9175-05b928babe8c": {
+ "allColumns": [
+ {
+ "columnId": "total",
+ "customLabel": false,
+ "fieldName": "total",
+ "inMetricDimension": true,
+ "label": "total",
+ "meta": {
+ "esType": "long",
+ "type": "number"
+ }
+ },
+ {
+ "columnId": "0e61e4ef-b235-43a5-ae2e-c05855c15e67",
+ "fieldName": "aws.access_key.id",
+ "label": "aws.access_key.id",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "aws.access_key.id"
+ },
+ "type": "string"
+ }
+ },
+ {
+ "columnId": "aws.access_key.id",
+ "fieldName": "aws.access_key.id",
+ "label": "aws.access_key.id",
+ "meta": {
+ "esType": "keyword",
+ "type": "string"
+ }
+ }
+ ],
+ "columns": [
+ {
+ "columnId": "0e61e4ef-b235-43a5-ae2e-c05855c15e67",
+ "customLabel": true,
+ "fieldName": "aws.access_key.id",
+ "label": "User ID",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "aws.access_key.id"
+ },
+ "type": "string"
+ }
+ },
+ {
+ "columnId": "total",
+ "customLabel": true,
+ "fieldName": "total",
+ "inMetricDimension": true,
+ "label": "Events",
+ "meta": {
+ "esType": "long",
+ "type": "number"
+ }
+ }
+ ],
+ "index": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "query": {
+ "esql": "FROM logs*\n| KEEP aws.access_key.id\n| STATS total = COUNT() by aws.access_key.id\n| SORT total DESC"
+ },
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "name": "textBasedLanguages-datasource-layer-25487c5b-c5ab-4f0f-9175-05b928babe8c",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "esql": "FROM logs*\n| KEEP aws.access_key.id\n| STATS total = COUNT() by aws.access_key.id\n| SORT total DESC"
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "total",
+ "isMetric": true,
+ "isTransposed": false
+ },
+ {
+ "columnId": "0e61e4ef-b235-43a5-ae2e-c05855c15e67",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "25487c5b-c5ab-4f0f-9175-05b928babe8c",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ }
+ }
+ },
+ "title": "Bar vertical stacked",
+ "type": "lens",
+ "version": 1,
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "esql": "FROM logs*\n| KEEP aws.access_key.id\n| STATS total = COUNT() by aws.access_key.id\n| SORT total DESC"
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "title": "Top User IDs"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "d85f7996-c13e-4d59-88c1-e6511f3da963",
+ "w": 17,
+ "x": 31,
+ "y": 45
+ },
+ "panelIndex": "d85f7996-c13e-4d59-88c1-e6511f3da963",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0": {
+ "allowHidden": false,
+ "allowNoIndex": false,
+ "fieldFormats": {},
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "managed": false,
+ "name": "logs*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs*",
+ "type": "esql"
+ }
+ },
+ "datasourceStates": {
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "timeField": "@timestamp",
+ "title": "logs*"
+ }
+ ],
+ "layers": {
+ "3cf5753b-b930-4606-a601-c7318d8459de": {
+ "columns": [
+ {
+ "columnId": "@timestamp",
+ "customLabel": false,
+ "fieldName": "@timestamp",
+ "inMetricDimension": true,
+ "label": "@timestamp",
+ "meta": {
+ "esType": "date",
+ "type": "date"
+ }
+ },
+ {
+ "columnId": "d6e90c83-cae7-44e4-8d3c-8cac1b182022",
+ "customLabel": true,
+ "fieldName": "aws.access_key.id",
+ "label": "Access key ID",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "aws.access_key.id"
+ },
+ "type": "string"
+ }
+ },
+ {
+ "columnId": "ea24e826-15e2-4a17-806f-82f9830e6350",
+ "customLabel": true,
+ "fieldName": "rpc.service",
+ "label": "Service",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "rpc.service"
+ },
+ "type": "string"
+ }
+ },
+ {
+ "columnId": "042edc0f-2cf9-4d0e-993b-816edaf2f466",
+ "customLabel": true,
+ "fieldName": "rpc.system",
+ "label": "Event type",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "rpc.system"
+ },
+ "type": "string"
+ }
+ },
+ {
+ "columnId": "f04abe17-b427-4e76-8650-833be58f36c9",
+ "customLabel": true,
+ "fieldName": "rpc.method",
+ "label": "Action",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "rpc.method"
+ },
+ "type": "string"
+ }
+ },
+ {
+ "columnId": "de2ae2d1-9b3b-48cb-9d7b-9380e7cf1d8b",
+ "customLabel": true,
+ "fieldName": "aws.error.code",
+ "label": "Error code",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "aws.error.code"
+ },
+ "type": "string"
+ }
+ },
+ {
+ "columnId": "47f478f5-0972-4f83-b349-27c568415024",
+ "customLabel": true,
+ "fieldName": "source.address",
+ "label": "Source address",
+ "meta": {
+ "esType": "keyword",
+ "params": {
+ "id": "string"
+ },
+ "sourceParams": {
+ "indexPattern": "logs*",
+ "sourceField": "source.address"
+ },
+ "type": "string"
+ }
+ }
+ ],
+ "index": "047b9ce1c481e9105458e4238be7cbb304abc176b09c3b4d196d84686c42b5d0",
+ "query": {
+ "esql": "FROM logs*"
+ },
+ "timeField": "@timestamp"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "needsRefresh": false,
+ "query": {
+ "esql": "FROM logs*"
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "@timestamp",
+ "width": 221.57142857142858
+ },
+ {
+ "columnId": "d6e90c83-cae7-44e4-8d3c-8cac1b182022",
+ "isMetric": true,
+ "isTransposed": false,
+ "width": 194.73809523809524
+ },
+ {
+ "columnId": "ea24e826-15e2-4a17-806f-82f9830e6350",
+ "isMetric": true,
+ "isTransposed": false
+ },
+ {
+ "columnId": "042edc0f-2cf9-4d0e-993b-816edaf2f466",
+ "isMetric": true,
+ "isTransposed": false,
+ "width": 110.73809523809524
+ },
+ {
+ "columnId": "f04abe17-b427-4e76-8650-833be58f36c9",
+ "isMetric": true,
+ "isTransposed": false,
+ "width": 187.23809523809524
+ },
+ {
+ "columnId": "de2ae2d1-9b3b-48cb-9d7b-9380e7cf1d8b",
+ "isMetric": true,
+ "isTransposed": false
+ },
+ {
+ "columnId": "47f478f5-0972-4f83-b349-27c568415024",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "density": "normal",
+ "layerId": "3cf5753b-b930-4606-a601-c7318d8459de",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ }
+ }
+ },
+ "title": "",
+ "version": 1,
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "esql": "FROM logs*"
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "24eb9660-7a5b-4ecb-9abf-70ec72471782",
+ "w": 31,
+ "x": 0,
+ "y": 45
+ },
+ "panelIndex": "24eb9660-7a5b-4ecb-9abf-70ec72471782",
+ "type": "lens"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[AWS CloudTrail OTEL] CloudTrail Logs Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-10-14T07:53:18.989Z",
+ "created_by": "u_ZYj7dGTEOgapsGLTf8GS1lTKCU-wzK795nZmlm714so_0",
+ "id": "aws_cloudtrail_otel-9bfbe31c-e775-4ee4-9e34-a449e603d109",
+ "references": [
+ {
+ "id": "56b40a51-690a-4354-8659-66a579d2b184",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.3.0",
+ "updated_by": "u_ZYj7dGTEOgapsGLTf8GS1lTKCU-wzK795nZmlm714so_0"
+}
\ No newline at end of file
diff --git a/packages/aws_cloudtrail_otel/manifest.yml b/packages/aws_cloudtrail_otel/manifest.yml
new file mode 100644
index 00000000000..8ef91cf6e47
--- /dev/null
+++ b/packages/aws_cloudtrail_otel/manifest.yml
@@ -0,0 +1,39 @@
+format_version: 3.5.0
+name: aws_cloudtrail_otel
+title: "AWS CloudTrail Logs OpenTelemetry Assets"
+version: 0.1.0
+source:
+ license: "Elastic-2.0"
+description: "AWS CloudTrail Logs OpenTelemetry Assets"
+type: content
+categories:
+ - aws
+ - cloud
+ - web
+ - observability
+ - opentelemetry
+conditions:
+ kibana:
+ version: "^9.2.0"
+ elastic:
+ subscription: "basic"
+discovery:
+ datasets:
+ - name: aws.cloudtrail.otel
+screenshots:
+ - src: /img/dashboard.png
+ title: Dashboard screenshot
+ size: 600x600
+ type: image/png
+ - src: /img/dashboard_continued.png
+ title: Dashboard screenshot (continuation)
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/logo_cloudtrail_otel.svg
+ title: Logo
+ size: 32x32
+ type: image/svg+xml
+owner:
+ github: elastic/obs-infraobs-integrations
+ type: elastic
diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml
index 1388d10eb64..ca351949c2c 100644
--- a/packages/azure/changelog.yml
+++ b/packages/azure/changelog.yml
@@ -1,3 +1,8 @@
+- version: "1.30.0"
+ changes:
+ - description: Add processor version options for the Raw Events (v1) integration.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15900
- version: "1.29.1"
changes:
- description: Update `time` formats parsing and fix `durationMs` parsing in signinlogs data stream.
diff --git a/packages/azure/data_stream/eventhub/agent/stream/stream.yml.hbs b/packages/azure/data_stream/eventhub/agent/stream/stream.yml.hbs
index 40c0dd21700..2d3f4ae5b87 100644
--- a/packages/azure/data_stream/eventhub/agent/stream/stream.yml.hbs
+++ b/packages/azure/data_stream/eventhub/agent/stream/stream.yml.hbs
@@ -19,10 +19,31 @@ storage_account: {{storage_account}}
{{/if}}
{{#if storage_account_key}}
storage_account_key: {{storage_account_key}}
+storage_account_connection_string: DefaultEndpointsProtocol=https;AccountName={{storage_account}};AccountKey={{storage_account_key}};EndpointSuffix={{endpoint_suffix}}
{{/if}}
{{#if resource_manager_endpoint}}
resource_manager_endpoint: {{resource_manager_endpoint}}
{{/if}}
+
+{{#if processor_version}}
+processor_version: {{processor_version}}
+{{/if}}
+{{#if migrate_checkpoint}}
+migrate_checkpoint: {{migrate_checkpoint}}
+{{/if}}
+{{#if processor_update_interval}}
+processor_update_interval: {{processor_update_interval}}
+{{/if}}
+{{#if processor_start_position}}
+processor_start_position: {{processor_start_position}}
+{{/if}}
+{{#if partition_receive_timeout}}
+partition_receive_timeout: {{partition_receive_timeout}}
+{{/if}}
+{{#if partition_receive_count}}
+partition_receive_count: {{partition_receive_count}}
+{{/if}}
+
data_stream:
dataset: {{data_stream.dataset}}
tags:
diff --git a/packages/azure/data_stream/eventhub/manifest.yml b/packages/azure/data_stream/eventhub/manifest.yml
index 2dc49caa7e8..f6ebb77b9fb 100644
--- a/packages/azure/data_stream/eventhub/manifest.yml
+++ b/packages/azure/data_stream/eventhub/manifest.yml
@@ -74,6 +74,104 @@ streams:
type: bool
multi: false
default: false
+
+ #
+ # Processor v2 only settings
+ #
+ - name: processor_version
+ type: select
+ title: Processor version
+ multi: false
+ required: false
+ show_user: false
+ default: v1
+ options:
+ - text: v1
+ value: v1
+ - text: v2
+ value: v2
+ description: "The processor version that the integration should use. Possible values are `v1` and `v2` (preview). \nThe v2 event hub processor is in preview, so using the v1 processor is recommended for typical use cases.\nDefault is `v1`."
+ - name: processor_update_interval
+ type: text
+ title: Processor update interval
+ multi: false
+ required: false
+ show_user: false
+ default: 10s
+ description: >-
+ (Processor v2 only) How often the processor should attempt to claim partitions.
+
+ Default is `10` seconds.
+ - name: processor_start_position
+ type: select
+ title: Processor start position
+ multi: false
+ required: false
+ show_user: false
+ default: earliest
+ options:
+ - text: earliest
+ value: earliest
+ - text: latest
+ value: latest
+ description: >-
+ (Processor v2 only) Controls from what position in the event hub the processor should start processing messages for all partitions.
+
+ Possible values are `earliest` and `latest`.
+
+ `earliest` starts processing messages from the last checkpoint, or the beginning of the event hub if no checkpoint is available.
+
+ `latest` starts processing messages from the the latest event in the event hub and continues to process new events as they arrive.
+
+ Default is `earliest`.
+ - name: partition_receive_timeout
+ type: text
+ title: Partition receive timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 5s
+ description: >-
+ (Processor v2 only) Maximum time to wait before processing the messages received from the event hub.
+
+ The partition consumer waits up to a "receive count" or a "receive timeout", whichever comes first.
+
+ Default is `5` seconds.
+ - name: partition_receive_count
+ type: text
+ title: Partition receive count
+ multi: false
+ required: false
+ show_user: false
+ default: 100
+ description: >-
+ (Processor v2 only) Maximum number of messages from the event hub to wait for before processing them.
+
+ The partition consumer waits up to a "receive count" or a "receive timeout", whichever comes first.
+
+ Default is `100` messages.
+ - name: migrate_checkpoint
+ type: bool
+ title: Migrate checkpoint information
+ multi: false
+ required: false
+ show_user: false
+ default: true
+ description: >-
+ (Processor v2 only) Flag to control if the processor should perform the checkpoint information migration from processor v1 to v2 at startup.
+
+ The checkpoint migration converts the checkpoint information from the v1 format to the v2 format.
+
+ Default is `false`, which means the processor will not perform the checkpoint migration.
+ - name: endpoint_suffix
+ type: text
+ default: core.windows.net
+ required: true
+ title: Storage account endpoint suffix
+ show_user: false
+ description: >-
+ (Processor v2 only) Override the default storage account endpoint suffix.
+
# Ensures agents have permissions to write data to `logs-*-*`
elasticsearch:
dynamic_dataset: true
diff --git a/packages/azure/data_stream/events/manifest.yml b/packages/azure/data_stream/events/manifest.yml
index a863daf9923..79e4b65c060 100644
--- a/packages/azure/data_stream/events/manifest.yml
+++ b/packages/azure/data_stream/events/manifest.yml
@@ -81,12 +81,17 @@ streams:
multi: false
default: false
- name: processor_version
- type: text
+ type: select
title: Processor version
multi: false
required: false
show_user: false
default: v1
+ options:
+ - text: v1
+ value: v1
+ - text: v2
+ value: v2
description: "The processor version that the integration should use. Possible values are `v1` and `v2` (preview). \nThe v2 event hub processor is in preview, so using the v1 processor is recommended for typical use cases.\nDefault is `v1`."
- name: processor_update_interval
type: text
@@ -100,12 +105,17 @@ streams:
Default is `10` seconds.
- name: processor_start_position
- type: text
+ type: select
title: Processor start position
multi: false
required: false
show_user: false
default: earliest
+ options:
+ - text: earliest
+ value: earliest
+ - text: latest
+ value: latest
description: >-
(Processor v2 only) Controls from what position in the event hub the processor should start processing messages for all partitions.
diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml
index 9c717b723b5..0c34ce30311 100644
--- a/packages/azure/manifest.yml
+++ b/packages/azure/manifest.yml
@@ -1,6 +1,6 @@
name: azure
title: Azure Logs
-version: "1.29.1"
+version: "1.30.0"
description: This Elastic integration collects logs from Azure
type: integration
icons:
diff --git a/packages/azure_logs/changelog.yml b/packages/azure_logs/changelog.yml
index 89171ac7064..94f75325d5f 100644
--- a/packages/azure_logs/changelog.yml
+++ b/packages/azure_logs/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "0.4.2"
+ changes:
+ - description: Switch `processor_version` and `processor_start_position` configuration options to `select` type (UI change).
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15900
- version: "0.4.1"
changes:
- description: Add support to override `Endpoint Suffix` based on deployment environment.
diff --git a/packages/azure_logs/manifest.yml b/packages/azure_logs/manifest.yml
index b4bb0f44285..1e3f53e670a 100644
--- a/packages/azure_logs/manifest.yml
+++ b/packages/azure_logs/manifest.yml
@@ -1,7 +1,7 @@
format_version: 3.3.0
name: azure_logs
title: "Custom Azure Logs"
-version: "0.4.1"
+version: "0.4.2"
source:
license: Elastic-2.0
description: "Collect log events from Azure Event Hubs with Elastic Agent"
@@ -138,12 +138,17 @@ policy_templates:
multi: false
default: false
- name: processor_version
- type: text
+ type: select
title: Processor version
multi: false
required: false
show_user: false
default: v1
+ options:
+ - text: v1
+ value: v1
+ - text: v2
+ value: v2
description: "The processor version that the integration should use. Possible values are `v1` and `v2` (preview). \nThe v2 event hub processor is in preview, so using the v1 processor is recommended for typical use cases.\nDefault is `v1`."
- name: processor_update_interval
type: text
@@ -157,12 +162,17 @@ policy_templates:
Default is `10` seconds.
- name: processor_start_position
- type: text
+ type: select
title: Processor start position
multi: false
required: false
show_user: false
default: earliest
+ options:
+ - text: earliest
+ value: earliest
+ - text: latest
+ value: latest
description: >-
(Processor v2 only) Controls from what position in the event hub the processor should start processing messages for all partitions.
diff --git a/packages/azure_metrics/manifest.yml b/packages/azure_metrics/manifest.yml
index 7a9a280349c..b1ea8948f4d 100644
--- a/packages/azure_metrics/manifest.yml
+++ b/packages/azure_metrics/manifest.yml
@@ -19,6 +19,10 @@ categories:
- observability
- azure
- custom
+ # Added containers category to match policy template categories (container_registry, container_instance, and container_service templates reference containers subcategory)
+ - containers
+ # Added datastore category to match policy template categories (database_account template references datastore subcategory)
+ - datastore
conditions:
kibana:
version: "~8.18.8 || ~8.19.5 || ~9.0.8 || ^9.1.5"
diff --git a/packages/box_events/changelog.yml b/packages/box_events/changelog.yml
index 19c409a1894..c86b0f2da27 100644
--- a/packages/box_events/changelog.yml
+++ b/packages/box_events/changelog.yml
@@ -1,4 +1,12 @@
# newer versions go on top
+- version: "3.0.0"
+ changes:
+ - description: |
+ Remove non-ECS fields that are collided with ECS namespace.
+ Following fields will no longer be available:
+ `related.location.lat`, `related.location.lon`, `related.description`, `related.indicator_type`.
+ type: breaking-change
+ link: https://github.com/elastic/integrations/pull/15947
- version: "2.15.1"
changes:
- description: Fix the description of the interval setting.
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-anomalous-download.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-anomalous-download.log-expected.json
index 8a47b48163f..9934e585c80 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-anomalous-download.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-anomalous-download.log-expected.json
@@ -65,23 +65,11 @@
]
},
"related": {
- "description": [
- "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)"
- ],
- "indicator_type": [
- "file"
- ],
"ip": [
"1.128.0.0",
"175.16.199.0",
"10.1.2.3"
],
- "location": [
- {
- "lat": 43.88,
- "lon": 125.3228
- }
- ],
"user": [
"Unknown User",
"some@user.com",
@@ -211,22 +199,10 @@
]
},
"related": {
- "description": [
- "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)"
- ],
- "indicator_type": [
- "file"
- ],
"ip": [
"175.16.199.0",
"10.1.2.3"
],
- "location": [
- {
- "lat": 43.88,
- "lon": 125.3228
- }
- ],
"user": [
"Unknown User",
"some@user.com",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-invite.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-invite.log-expected.json
index 7dade973b39..39b0311cfa7 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-invite.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-invite.log-expected.json
@@ -62,12 +62,6 @@
"ip": [
"81.2.69.144"
],
- "location": [
- {
- "lat": 51.5142,
- "lon": -0.0931
- }
- ],
"user": [
"acting@example.com",
"Acting User",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json
index 915b6019817..9e4691119dd 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json
@@ -80,22 +80,10 @@
]
},
"related": {
- "description": [
- "BadMalware, MalwareBot4000, malware.exe Detected by Box Shield from IP 67.43.156.0. This is a really bad file see https://some.link/xyz"
- ],
- "indicator_type": [
- "software"
- ],
"ip": [
"67.43.156.0",
"10.1.2.3"
],
- "location": [
- {
- "lat": 27.5,
- "lon": 90.5
- }
- ],
"user": [
"Unknown User",
"some@email.com",
@@ -220,12 +208,6 @@
]
},
"related": {
- "description": [
- "BadMalware, MalwareBot4000, malware.exe Detected by Box Shield from IP Unknown IP. This is a really bad file see https://some.link/xyz"
- ],
- "indicator_type": [
- "software"
- ],
"user": [
"Unknown User",
"some@email.com",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json
index e5a78352ce1..89d9f25ad11 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json
@@ -38,26 +38,10 @@
]
},
"related": {
- "description": [
- "IP 81.2.69.144 was observed to Download file ABC/DEF/xyz.txt by Box Excel Online Previewer"
- ],
- "indicator_type": [
- "ipv4-addr"
- ],
"ip": [
"81.2.69.144",
"67.43.156.0"
],
- "location": [
- {
- "lat": 51.5142,
- "lon": -0.0931
- },
- {
- "lat": 27.5,
- "lon": 90.5
- }
- ],
"user": [
"Unknown User",
"some@email.com",
@@ -135,12 +119,6 @@
]
},
"related": {
- "description": [
- "IP Unknown IP was observed to Download file ABC/DEF/xyz.txt by Box Excel Online Previewer"
- ],
- "indicator_type": [
- "ipv4-addr"
- ],
"user": [
"Unknown User",
"some@email.com",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json
index b9fab6fb56b..60d8b7f3a12 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json
@@ -41,22 +41,10 @@
]
},
"related": {
- "description": [
- "IP 81.2.69.142 was observed to Set shared link expiration file ABC/DEF/xyz.txt by ServiceName"
- ],
- "indicator_type": [
- "user-account"
- ],
"ip": [
"81.2.69.142",
"10.1.2.3"
],
- "location": [
- {
- "lat": 51.5142,
- "lon": -0.0931
- }
- ],
"user": [
"Unknown User",
"a@b.c",
@@ -137,12 +125,6 @@
]
},
"related": {
- "description": [
- "IP Unknown IP was observed to Set shared link expiration file ABC/DEF/xyz.txt by ServiceName"
- ],
- "indicator_type": [
- "user-account"
- ],
"user": [
"Unknown User",
"a@b.c",
diff --git a/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml
index 9dc80e38893..ddaf89f357d 100644
--- a/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml
@@ -817,15 +817,6 @@ processors:
if (ctx.related.ip == null) {
ctx.related.ip = new ArrayList();
}
- if (ctx.related.description == null) {
- ctx.related.description = new ArrayList();
- }
- if (ctx.related.location == null) {
- ctx.related.location = new ArrayList();
- }
- if (ctx.related.indicator_type == null) {
- ctx.related.indicator_type = new ArrayList();
- }
}
#
- script:
@@ -865,9 +856,6 @@ processors:
indicator.indicator.put("type","user-account");
ctx.threat.enrichments.add(indicator);
ctx.related.ip.add(geo.ip);
- ctx.related.location.add(geo.location);
- ctx.related.description.add(indicator.indicator.description);
- ctx.related.indicator_type.add(indicator.indicator.type);
}
}
}
@@ -911,9 +899,6 @@ processors:
}
ctx.threat.enrichments.add(indicator);
ctx.related.ip.add(geo.ip);
- ctx.related.location.add(geo.location);
- ctx.related.description.add(indicator.indicator.description);
- ctx.related.indicator_type.add(indicator.indicator.type);
}
- script:
description: Unpack Anomalous Download properties
@@ -944,8 +929,6 @@ processors:
indicator.indicator.type = "file";
ctx.threat.enrichments.add(indicator);
ctx.related.ip.add(ip.ip);
- ctx.related.description.add(indicator.indicator.description);
- ctx.related.indicator_type.add(indicator.indicator.type);
}
}
- script:
@@ -979,10 +962,8 @@ processors:
ctx.threat.indicator.last_seen = ctx.box.additional_details.shield_alert.malware_info.last_seen;
ctx.threat.indicator.reference = ctx.box.additional_details.shield_alert.malware_info.detail_link;
ctx.related.ip.add(ctx.threat.indicator.ip);
- ctx.related.description.add(ctx.threat.indicator.description);
}
ctx.threat.indicator.type = "software";
- ctx.related.indicator_type.add(ctx.threat.indicator.type);
- date:
field: threat.indicator.first_seen
tag: date_threat_indicator_first_seen
@@ -1070,27 +1051,12 @@ processors:
.collect(Collectors.toList());
}
if (ctx.related != null) {
- if (ctx.related.description != null) {
- ctx.related.description = ctx.related.description.stream()
- .distinct()
- .collect(Collectors.toList());
- }
- if (ctx.related.indicator_type != null) {
- ctx.related.indicator_type = ctx.related.indicator_type.stream()
- .distinct()
- .collect(Collectors.toList());
- }
if (ctx.related.ip != null) {
ctx.related.ip = ctx.related.ip.stream()
.filter(Objects::nonNull)
.distinct()
.collect(Collectors.toList());
}
- if (ctx.related.location != null) {
- ctx.related.location = ctx.related.location.stream()
- .distinct()
- .collect(Collectors.toList());
- }
}
if (ctx.box?.additional_details?.shield_alert?.alert_summary?.download_ips != null) {
ctx.box.additional_details.shield_alert.alert_summary.download_ips = ctx.box.additional_details.shield_alert.alert_summary.download_ips.stream()
@@ -1244,42 +1210,6 @@ processors:
field: threat.indicator.ip
target_field: threat.indicator.geo
ignore_missing: true
- - script:
- description: Initialize related.geo prior to geoip
- lang: painless
- source: |
- if (ctx.related?.ip != null) {
- ctx.related.geo = new ArrayList();
- for (ip in ctx.related.ip) {
- Map geo = new HashMap();
- geo.put("ip",ip);
- ctx.related.geo.add(geo);
- }
- }
- - foreach:
- field: related.geo
- ignore_missing: true
- processor:
- geoip:
- field: "_ingest._value.ip"
- target_field: "_ingest._value.location"
- ignore_missing: true
- - script:
- description: Collate derived locations to related.location
- lang: painless
- source: |
- if (ctx.related?.geo != null) {
- ctx.related.location = new ArrayList();
- for (geo in ctx.related.geo) {
- if (geo.location != null) {
- ctx.related.location.add(geo.location.location);
- }
- }
- }
- - remove:
- field: "related.geo"
- ignore_failure: true
- ignore_missing: true
# AS look-ups on enrichments within Array
- foreach:
field: threat.enrichments
diff --git a/packages/box_events/data_stream/events/fields/agent.yml b/packages/box_events/data_stream/events/fields/agent.yml
index 8e1c9f999da..dd2822858e9 100644
--- a/packages/box_events/data_stream/events/fields/agent.yml
+++ b/packages/box_events/data_stream/events/fields/agent.yml
@@ -23,29 +23,3 @@
example: "stretch"
description: >
OS codename, if any.
-
- - name: cpu.pct
- type: scaled_float
- description: >
- Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1.
-
- - name: network.in.bytes
- type: long
- description: >
- The number of bytes received on all network interfaces by the host in a given period of time.
-
- - name: network.in.packets
- type: long
- description: >
- The number of packets received on all network interfaces by the host in a given period of time.
-
- - name: network.out.bytes
- type: long
- description: >
- The number of bytes sent out on all network interfaces by the host in a given period of time.
-
- - name: network.out.packets
- type: long
- description: >
- The number of packets sent out on all network interfaces by the host in a given period of time.
-
diff --git a/packages/box_events/data_stream/events/fields/fields.yml b/packages/box_events/data_stream/events/fields/fields.yml
index 026b41bcca3..fbf085bb9da 100644
--- a/packages/box_events/data_stream/events/fields/fields.yml
+++ b/packages/box_events/data_stream/events/fields/fields.yml
@@ -451,22 +451,3 @@
- name: user_name
description: The name of the user that triggered the event.
type: keyword
-- name: related
- type: group
- fields:
- - name: location
- description: Array of `location` derived from `related.ip`
- type: group
- fields:
- - name: lat
- description: Latitude coordinate
- type: float
- - name: lon
- description: Longitude coordinate
- type: float
- - name: description
- description: Array of `description` derived from `threat[.enrichments].indicator.description`
- type: keyword
- - name: indicator_type
- description: Array of `indicator_type` derived from `threat[.enrichments].indicator.type`
- type: keyword
diff --git a/packages/box_events/data_stream/events/sample_event.json b/packages/box_events/data_stream/events/sample_event.json
index 87bb38257ff..6c009404175 100644
--- a/packages/box_events/data_stream/events/sample_event.json
+++ b/packages/box_events/data_stream/events/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2019-12-08T08:00:00.000Z",
"agent": {
- "ephemeral_id": "94b3a4ae-4bb4-4a74-bfd3-ad4edaf2021a",
- "id": "92c8c1f0-17a0-411f-9de6-0252b00535f1",
- "name": "elastic-agent-28643",
+ "ephemeral_id": "0c6a6398-e9df-4611-ac15-6d4ed1970bbd",
+ "id": "37d8b826-8d94-4898-80a3-8d444de86b73",
+ "name": "elastic-agent-83895",
"type": "filebeat",
- "version": "9.1.2"
+ "version": "8.13.0"
},
"box": {
"additional_details": {
@@ -23,12 +23,14 @@
"description": "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)",
"download_delta_percent": 9200,
"download_delta_size": "25 Mb",
- "download_ips": {
- "ip": [
- "1.128.0.0",
- "175.16.199.0"
- ]
- },
+ "download_ips": [
+ {
+ "ip": "1.128.0.0"
+ },
+ {
+ "ip": "175.16.199.0"
+ }
+ ],
"historical_period": {
"date_range": {
"end_date": "2019-12-08T01:01:00-08:00",
@@ -39,7 +41,7 @@
}
}
},
- "created_at": "2019-12-20T19:38:56.000Z",
+ "created_at": "2019-12-20T11:38:56-08:00",
"created_by": {
"id": "2",
"name": "Unknown User",
@@ -51,16 +53,16 @@
},
"data_stream": {
"dataset": "box_events.events",
- "namespace": "26547",
+ "namespace": "94511",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "92c8c1f0-17a0-411f-9de6-0252b00535f1",
+ "id": "37d8b826-8d94-4898-80a3-8d444de86b73",
"snapshot": false,
- "version": "9.1.2"
+ "version": "8.13.0"
},
"event": {
"action": "SHIELD_ALERT",
@@ -69,12 +71,11 @@
"threat",
"file"
],
- "created": "2025-09-10T07:32:34.995Z",
+ "created": "2025-11-10T12:04:25.759Z",
"dataset": "box_events.events",
"id": "97f1b31f-f143-4777-81f8-000000000001",
- "ingested": "2025-09-10T07:32:38Z",
+ "ingested": "2025-11-10T12:04:28Z",
"kind": "alert",
- "module": "box_events",
"risk_score": 77,
"type": [
"indicator",
@@ -82,41 +83,38 @@
]
},
"host": {
- "architecture": "aarch64",
- "containerized": false,
- "hostname": "elastic-agent-28643",
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "elastic-agent-83895",
+ "id": "8259e024976a406e8a54cdbffeb84fec",
"ip": [
- "172.21.0.2",
- "172.20.0.4"
+ "192.168.247.2",
+ "192.168.243.7"
],
"mac": [
- "26-74-1B-20-37-65",
- "AE-56-AE-65-93-E8"
+ "02-42-C0-A8-F3-07",
+ "02-42-C0-A8-F7-02"
],
- "name": "elastic-agent-28643",
+ "name": "elastic-agent-83895",
"os": {
- "kernel": "6.10.14-linuxkit",
- "name": "Wolfi",
- "platform": "wolfi",
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.92.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
"type": "linux",
- "version": "20230201"
+ "version": "20.04.6 LTS (Focal Fossa)"
}
},
"input": {
"type": "httpjson"
},
"related": {
- "description": "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)",
- "indicator_type": "file",
"ip": [
"1.128.0.0",
"175.16.199.0",
"10.1.2.3"
],
- "location": {
- "lat": 43.88,
- "lon": 125.3228
- },
"user": [
"Unknown User",
"some@user.com",
@@ -130,48 +128,44 @@
"name": "Anomalous Download Rule"
},
"threat": {
- "enrichments": {
- "indicator": {
- "as": {
- "number": 1221,
- "organization": {
- "name": "Telstra Pty Ltd"
- }
- },
- "description": [
- "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)",
- "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)"
- ],
- "first_seen": [
- "2019-12-08T09:01:00.000Z",
- "2019-12-08T09:01:00.000Z"
- ],
- "geo": {
- "city_name": "Changchun",
- "continent_name": "Asia",
- "country_iso_code": "CN",
- "country_name": "China",
- "location": {
- "lat": "43.88",
- "lon": "125.3228"
+ "enrichments": [
+ {
+ "indicator": {
+ "as": {
+ "number": 1221,
+ "organization": {
+ "name": "Telstra Pty Ltd"
+ }
+ },
+ "description": "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)",
+ "first_seen": "2019-12-08T01:01:00-08:00",
+ "ip": "1.128.0.0",
+ "last_seen": "2019-12-15T01:01:00-08:00",
+ "type": "file"
+ }
+ },
+ {
+ "indicator": {
+ "description": "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)",
+ "first_seen": "2019-12-08T01:01:00-08:00",
+ "geo": {
+ "city_name": "Changchun",
+ "continent_name": "Asia",
+ "country_iso_code": "CN",
+ "country_name": "China",
+ "location": {
+ "lat": 43.88,
+ "lon": 125.3228
+ },
+ "region_iso_code": "CN-22",
+ "region_name": "Jilin Sheng"
},
- "region_iso_code": "CN-22",
- "region_name": "Jilin Sheng"
- },
- "ip": [
- "1.128.0.0",
- "175.16.199.0"
- ],
- "last_seen": [
- "2019-12-15T09:01:00.000Z",
- "2019-12-15T09:01:00.000Z"
- ],
- "type": [
- "file",
- "file"
- ]
+ "ip": "175.16.199.0",
+ "last_seen": "2019-12-15T01:01:00-08:00",
+ "type": "file"
+ }
}
- },
+ ],
"indicator": {
"sightings": 1
}
diff --git a/packages/box_events/docs/README.md b/packages/box_events/docs/README.md
index 42dac91db29..1b09c46a4d6 100644
--- a/packages/box_events/docs/README.md
+++ b/packages/box_events/docs/README.md
@@ -270,18 +270,9 @@ Preserves a raw copy of the original event, added to the field `event.original`.
| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
-| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float |
-| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long |
-| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long |
-| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long |
-| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Type of Filebeat input. | keyword |
-| related.description | Array of `description` derived from `threat[.enrichments].indicator.description` | keyword |
-| related.indicator_type | Array of `indicator_type` derived from `threat[.enrichments].indicator.type` | keyword |
-| related.location.lat | Latitude coordinate | float |
-| related.location.lon | Longitude coordinate | float |
| threat.enrichments.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
| threat.enrichments.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date |
diff --git a/packages/box_events/manifest.yml b/packages/box_events/manifest.yml
index e77047940ba..b2e0a5c78e0 100644
--- a/packages/box_events/manifest.yml
+++ b/packages/box_events/manifest.yml
@@ -1,7 +1,7 @@
format_version: "3.0.3"
name: box_events
title: Box Events
-version: "2.15.1"
+version: "3.0.0"
description: "Collect logs from Box with Elastic Agent"
type: integration
categories:
diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml
index edb49a0bb75..ddeea5d601a 100644
--- a/packages/cisco_ise/changelog.yml
+++ b/packages/cisco_ise/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "1.30.1"
+ changes:
+ - description: Fixed typo in ingest pipeline processors.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/16016
- version: "1.30.0"
changes:
- description: Preserve event.original on pipeline error.
diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml
index 38940bc65b7..28bd3e81af4 100644
--- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml
+++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml
@@ -272,14 +272,14 @@ processors:
ignore_failure: true
ignore_empty_value: true
- gsub:
- tag: gsub_cisco_ise_log_endpoind_mac_address_4f873ca8
- field: cisco_ise.log.endpoind.mac.address
+ tag: gsub_cisco_ise_log_endpoint_mac_address_4f873ca8
+ field: cisco_ise.log.endpoint.mac.address
pattern: '[-:.]'
replacement: '-'
ignore_missing: true
- uppercase:
- tag: uppercase_cisco_ise_log_endpoind_mac_address_dfac924d
- field: cisco_ise.log.endpoind.mac.address
+ tag: uppercase_cisco_ise_log_endpoint_mac_address_dfac924d
+ field: cisco_ise.log.endpoint.mac.address
ignore_missing: true
- rename:
tag: rename_cisco_ise_log_log_details_GuestUserName_to_cisco_ise_log_guest_user_name_af4fb284
diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml
index dd01797b9b3..9333ce32321 100644
--- a/packages/cisco_ise/manifest.yml
+++ b/packages/cisco_ise/manifest.yml
@@ -1,7 +1,7 @@
format_version: "3.0.3"
name: cisco_ise
title: Cisco ISE
-version: "1.30.0"
+version: "1.30.1"
description: Collect logs from Cisco ISE with Elastic Agent.
type: integration
categories:
diff --git a/packages/cloud_asset_inventory/manifest.yml b/packages/cloud_asset_inventory/manifest.yml
index 48392d5d4dc..8c5ece7a1fe 100644
--- a/packages/cloud_asset_inventory/manifest.yml
+++ b/packages/cloud_asset_inventory/manifest.yml
@@ -10,6 +10,8 @@ categories:
- security
- asset_inventory
- cloudsecurity_cdr
+ # Added cloud category to match policy template categories (asset_inventory template references cloud as a top-level category)
+ - cloud
conditions:
kibana:
version: ">=9.2.0"
diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml
index b78fa4f92f2..9a01ddbc9d4 100644
--- a/packages/cloud_security_posture/manifest.yml
+++ b/packages/cloud_security_posture/manifest.yml
@@ -11,6 +11,16 @@ categories:
- cloudsecurity_cdr
- misconfiguration_workflow
- vulnerability_workflow
+ # Added containers category to match policy template categories (kspm template references containers subcategory)
+ - containers
+ # Added observability category to match policy template categories (kspm template references kubernetes subcategory which requires observability as parent)
+ - observability
+ # Added google_cloud category to match policy template categories (cspm template references google_cloud as a top-level category)
+ - google_cloud
+ # Added aws category to match policy template categories (kspm and cspm templates reference aws as a top-level category)
+ - aws
+ # Added cloud category to match policy template categories (cspm and vuln_mgmt templates reference cloud as a top-level category)
+ - cloud
conditions:
kibana:
version: "^9.2.0"
diff --git a/packages/elastic_agent/changelog.yml b/packages/elastic_agent/changelog.yml
index 7d084910095..a5ac6a6f608 100644
--- a/packages/elastic_agent/changelog.yml
+++ b/packages/elastic_agent/changelog.yml
@@ -1,4 +1,18 @@
# newer versions go on top
+- version: "2.6.8"
+ changes:
+ - description: Adds processor for health_status field to status change logs data stream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15852
+ - description: Add new alerting rules for agent health status changes
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15852
+ - description: Use more specifc index and remove RLIKE usage for system metrics alerting rules
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15852
+ - description: Use system.process.cpu.total.normalized.pct for CPU usage alerting rule
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/15852
- version: "2.6.7"
changes:
- description: Add mapping for error fields for beats logs.
diff --git a/packages/elastic_agent/data_stream/status_change_logs/_dev/test/pipeline/test-health-status.json b/packages/elastic_agent/data_stream/status_change_logs/_dev/test/pipeline/test-health-status.json
new file mode 100644
index 00000000000..b7ea5bf51ca
--- /dev/null
+++ b/packages/elastic_agent/data_stream/status_change_logs/_dev/test/pipeline/test-health-status.json
@@ -0,0 +1,116 @@
+{
+ "events": [
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "online",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "offline",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "error",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "degraded",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "updating",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "enrolling",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "unenrolling",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ }
+ ]
+}
diff --git a/packages/elastic_agent/data_stream/status_change_logs/_dev/test/pipeline/test-health-status.json-expected.json b/packages/elastic_agent/data_stream/status_change_logs/_dev/test/pipeline/test-health-status.json-expected.json
new file mode 100644
index 00000000000..1443ecb9153
--- /dev/null
+++ b/packages/elastic_agent/data_stream/status_change_logs/_dev/test/pipeline/test-health-status.json-expected.json
@@ -0,0 +1,123 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "online",
+ "health_status": "healthy",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "offline",
+ "health_status": "offline",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "error",
+ "health_status": "unhealthy",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "degraded",
+ "health_status": "unhealthy",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "updating",
+ "health_status": "updating",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "enrolling",
+ "health_status": "updating",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ },
+ {
+ "@timestamp": "2024-01-15T10:30:00.000Z",
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "unenrolling",
+ "health_status": "updating",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+ }
+ ]
+}
diff --git a/packages/elastic_agent/data_stream/status_change_logs/elasticsearch/ingest_pipeline/default.yml b/packages/elastic_agent/data_stream/status_change_logs/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..72e0e4ffac7
--- /dev/null
+++ b/packages/elastic_agent/data_stream/status_change_logs/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,23 @@
+---
+description: Pipeline for Elastic Agent status change logs.
+processors:
+ - script:
+ description: Derive health_status from status field
+ if: ctx.status != null
+ lang: painless
+ source: |
+ String status = ctx.status;
+ String healthStatus;
+
+ if (status == 'online') {
+ healthStatus = 'healthy';
+ } else if (status == 'error' || status == 'degraded') {
+ healthStatus = 'unhealthy';
+ } else if (status == 'updating' || status == 'enrolling' || status == 'unenrolling') {
+ healthStatus = 'updating';
+ } else {
+ healthStatus = status;
+ }
+
+ ctx.health_status = healthStatus;
+ ignore_failure: true
diff --git a/packages/elastic_agent/data_stream/status_change_logs/fields/fields.yml b/packages/elastic_agent/data_stream/status_change_logs/fields/fields.yml
index 61d481e7882..c09196442a8 100644
--- a/packages/elastic_agent/data_stream/status_change_logs/fields/fields.yml
+++ b/packages/elastic_agent/data_stream/status_change_logs/fields/fields.yml
@@ -1,5 +1,7 @@
- name: status
type: keyword
+- name: health_status
+ type: keyword
- name: policy_id
type: keyword
- name: agentless
diff --git a/packages/elastic_agent/data_stream/status_change_logs/sample_event.json b/packages/elastic_agent/data_stream/status_change_logs/sample_event.json
index 1740962b715..b611288904b 100644
--- a/packages/elastic_agent/data_stream/status_change_logs/sample_event.json
+++ b/packages/elastic_agent/data_stream/status_change_logs/sample_event.json
@@ -1,16 +1,17 @@
{
- "@timestamp": 1576280412771,
- "data_stream": {
- "type": "logs",
- "dataset": "elastic_agent.status_change",
- "namespace": "default"
- },
- "agent": {
- "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
- },
- "status": "HEALTHY",
- "policy_id": "test-policy",
- "agentless": false,
- "space_id": "default",
- "hostname": "test-host"
-}
\ No newline at end of file
+ "@timestamp": 1576280412771,
+ "data_stream": {
+ "type": "logs",
+ "dataset": "elastic_agent.status_change",
+ "namespace": "default"
+ },
+ "agent": {
+ "id": "f2b3c4d5-e6f7-8a9b-b0c1-d2e3f4g5h6i7"
+ },
+ "status": "online",
+ "health_status": "healthy",
+ "policy_id": "test-policy",
+ "agentless": false,
+ "space_id": "default",
+ "hostname": "test-host"
+}
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-cpu-usage-spike-rule.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-cpu-usage-spike-rule.json
index 57151899cba..2072928d652 100644
--- a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-cpu-usage-spike-rule.json
+++ b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-cpu-usage-spike-rule.json
@@ -16,7 +16,7 @@
"thresholdComparator": ">",
"size": 100,
"esqlQuery": {
- "esql": "FROM metrics-*, *:metrics-*\n| WHERE process.executable RLIKE \".*[Ee]lastic.*[Aa]gent.*\" AND agent.name NOT LIKE \"*agentless*\"\n| STATS cpu_process_pct = MAX(system.process.cpu.total.pct) * 100\n BY elastic_agent.id, process.name,\n time_bucket = BUCKET(@timestamp, 1 minute)\n// Count the 1 minute timebuckets that are above 80% by process and agent\n| WHERE cpu_process_pct >= 80\n| STATS count_above_threshold = COUNT(*)\n BY elastic_agent.id, process.name\n// Alert if there are 5 or more occurences\n| WHERE count_above_threshold >= 5"
+ "esql": "FROM metrics-system*, *:metrics-system*\n| WHERE TO_LOWER(process.executable) LIKE \"*elastic*agent*\" AND agent.name NOT LIKE \"*agentless*\"\n| STATS cpu_process_pct = MAX(system.process.cpu.total.norm.pct) * 100\n BY elastic_agent.id, process.name,\n time_bucket = BUCKET(@timestamp, 1 minute)\n// Count the 1 minute timebuckets that are above 80% by process and agent\n| WHERE cpu_process_pct >= 80\n| STATS count_above_threshold = COUNT(*)\n BY elastic_agent.id, process.name\n// Alert if there are 5 or more occurences\n| WHERE count_above_threshold >= 5"
},
"aggType": "count",
"groupBy": "row",
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-excessive-memory-usage-rule.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-excessive-memory-usage-rule.json
index 88dc71e7e97..2bc6aaa566d 100644
--- a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-excessive-memory-usage-rule.json
+++ b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-excessive-memory-usage-rule.json
@@ -16,7 +16,7 @@
"thresholdComparator": ">",
"size": 100,
"esqlQuery": {
- "esql": "FROM metrics-*, *:metrics-*\n| WHERE process.executable RLIKE \".*[Ee]lastic.*[Aa]gent.*\" AND agent.name NOT LIKE \"*agentless*\"\n| STATS max_memory_per_process = MAX(system.process.memory.rss.pct * 100) BY agent.id, process.name\n| STATS total_memory_usage = SUM(max_memory_per_process) BY agent.id\n| WHERE total_memory_usage > 50"
+ "esql": "FROM metrics-system*, *:metrics-system*\n| WHERE TO_LOWER(process.executable) LIKE \"*elastic*agent*\" AND agent.name NOT LIKE \"*agentless*\"\n| STATS max_memory_per_process = MAX(system.process.memory.rss.pct * 100) BY agent.id, process.name\n| STATS total_memory_usage = SUM(max_memory_per_process) BY agent.id\n| WHERE total_memory_usage > 50"
},
"aggType": "count",
"groupBy": "row",
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-excessive-restarts.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-excessive-restarts.json
index 129bcfeb6ef..5a407e18879 100644
--- a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-excessive-restarts.json
+++ b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-excessive-restarts.json
@@ -16,7 +16,7 @@
"thresholdComparator": ">",
"size": 100,
"esqlQuery": {
- "esql": "FROM metrics-*, *:metrics-*\n| WHERE process.executable RLIKE \".*[Ee]lastic.*[Aa]gent.*\" AND agent.name NOT LIKE \"*agentless*\"\n| STATS restart_count = COUNT_DISTINCT(process.cpu.start_time) BY host.name, process.name, bucket(@timestamp,5 minute) \n| WHERE restart_count > 10\n| STATS MAX(restart_count) BY host.name, process.name"
+ "esql": "FROM metrics-system*, *:metrics-system*\n| WHERE TO_LOWER(process.executable) LIKE \"*elastic*agent*\" AND agent.name NOT LIKE \"*agentless*\"\n| STATS restart_count = COUNT_DISTINCT(process.cpu.start_time) BY host.name, process.name, bucket(@timestamp,5 minute) \n| WHERE restart_count > 10\n| STATS MAX(restart_count) BY host.name, process.name"
},
"aggType": "count",
"groupBy": "row",
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-offline-status.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-offline-status.json
new file mode 100644
index 00000000000..b886101ae55
--- /dev/null
+++ b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-offline-status.json
@@ -0,0 +1,34 @@
+{
+ "id": "elastic-agent-offline-status",
+ "type": "alerting_rule_template",
+ "attributes": {
+ "name": "[Elastic Agent] Offline status",
+ "tags": ["Elastic Agent"],
+ "ruleTypeId": ".es-query",
+ "schedule": {
+ "interval": "1m"
+ },
+ "params": {
+ "searchType": "esqlQuery",
+ "timeWindowSize": 5,
+ "timeWindowUnit": "m",
+ "threshold": [0],
+ "thresholdComparator": ">",
+ "size": 100,
+ "esqlQuery": {
+ "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and health_status == \"offline\""
+ },
+ "aggType": "count",
+ "groupBy": "row",
+ "termSize": 5,
+ "sourceFields": [],
+ "timeField": "@timestamp",
+ "excludeHitsFromPreviousRun": true
+ },
+ "alertDelay": {
+ "active": 1
+ }
+ },
+ "coreMigrationVersion": "8.8.0",
+ "typeMigrationVersion": "10.1.0"
+}
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unenrolled-status.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unenrolled-status.json
new file mode 100644
index 00000000000..1fabb74f27f
--- /dev/null
+++ b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unenrolled-status.json
@@ -0,0 +1,34 @@
+{
+ "id": "elastic-agent-unenrolled-status",
+ "type": "alerting_rule_template",
+ "attributes": {
+ "name": "[Elastic Agent] Unenrolled status",
+ "tags": ["Elastic Agent"],
+ "ruleTypeId": ".es-query",
+ "schedule": {
+ "interval": "1m"
+ },
+ "params": {
+ "searchType": "esqlQuery",
+ "timeWindowSize": 5,
+ "timeWindowUnit": "m",
+ "threshold": [0],
+ "thresholdComparator": ">",
+ "size": 100,
+ "esqlQuery": {
+ "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and health_status == \"unenrolled\""
+ },
+ "aggType": "count",
+ "groupBy": "row",
+ "termSize": 5,
+ "sourceFields": [],
+ "timeField": "@timestamp",
+ "excludeHitsFromPreviousRun": true
+ },
+ "alertDelay": {
+ "active": 1
+ }
+ },
+ "coreMigrationVersion": "8.8.0",
+ "typeMigrationVersion": "10.1.0"
+}
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unhealthy-status.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unhealthy-status.json
index c817436f589..a3f00eb35aa 100644
--- a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unhealthy-status.json
+++ b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unhealthy-status.json
@@ -16,7 +16,7 @@
"thresholdComparator": ">",
"size": 100,
"esqlQuery": {
- "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and status in (\"error\", \"degraded\")"
+ "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and health_status == \"unhealthy\""
},
"aggType": "count",
"groupBy": "row",
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-uninstalled-status.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-uninstalled-status.json
new file mode 100644
index 00000000000..665537ba5f9
--- /dev/null
+++ b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-uninstalled-status.json
@@ -0,0 +1,34 @@
+{
+ "id": "elastic-agent-uninstalled-status",
+ "type": "alerting_rule_template",
+ "attributes": {
+ "name": "[Elastic Agent] Uninstalled status",
+ "tags": ["Elastic Agent"],
+ "ruleTypeId": ".es-query",
+ "schedule": {
+ "interval": "1m"
+ },
+ "params": {
+ "searchType": "esqlQuery",
+ "timeWindowSize": 5,
+ "timeWindowUnit": "m",
+ "threshold": [0],
+ "thresholdComparator": ">",
+ "size": 100,
+ "esqlQuery": {
+ "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and health_status == \"uninstalled\""
+ },
+ "aggType": "count",
+ "groupBy": "row",
+ "termSize": 5,
+ "sourceFields": [],
+ "timeField": "@timestamp",
+ "excludeHitsFromPreviousRun": true
+ },
+ "alertDelay": {
+ "active": 1
+ }
+ },
+ "coreMigrationVersion": "8.8.0",
+ "typeMigrationVersion": "10.1.0"
+}
diff --git a/packages/elastic_agent/manifest.yml b/packages/elastic_agent/manifest.yml
index aa26ef89c32..42c198f06ce 100644
--- a/packages/elastic_agent/manifest.yml
+++ b/packages/elastic_agent/manifest.yml
@@ -1,6 +1,6 @@
name: elastic_agent
title: Elastic Agent
-version: 2.6.7
+version: 2.6.8
description: Collect logs and metrics from Elastic Agents.
type: integration
format_version: 3.5.0
diff --git a/packages/entityanalytics_ad/changelog.yml b/packages/entityanalytics_ad/changelog.yml
index c4b98c14a15..960423c2c67 100644
--- a/packages/entityanalytics_ad/changelog.yml
+++ b/packages/entityanalytics_ad/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "0.17.1"
+ changes:
+ - description: Allow rerouting permissions to write data to other data streams.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/16076
- version: "0.17.0"
changes:
- description: Improve field mappings for device entities.
diff --git a/packages/entityanalytics_ad/data_stream/entity/manifest.yml b/packages/entityanalytics_ad/data_stream/entity/manifest.yml
index ca9ca81e6cc..779a6865374 100644
--- a/packages/entityanalytics_ad/data_stream/entity/manifest.yml
+++ b/packages/entityanalytics_ad/data_stream/entity/manifest.yml
@@ -163,3 +163,6 @@ streams:
show_user: false
description: >-
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+elasticsearch:
+ dynamic_dataset: true
+ dynamic_namespace: true
diff --git a/packages/entityanalytics_ad/manifest.yml b/packages/entityanalytics_ad/manifest.yml
index 73e4c883ac1..a5a371d3939 100644
--- a/packages/entityanalytics_ad/manifest.yml
+++ b/packages/entityanalytics_ad/manifest.yml
@@ -1,7 +1,7 @@
format_version: "3.0.2"
name: entityanalytics_ad
title: Active Directory Entity Analytics
-version: "0.17.0"
+version: "0.17.1"
description: "Collect User Identities from Active Directory Entity with Elastic Agent."
type: integration
categories:
diff --git a/packages/gcp/manifest.yml b/packages/gcp/manifest.yml
index 8d165a1ca9d..121e1337426 100644
--- a/packages/gcp/manifest.yml
+++ b/packages/gcp/manifest.yml
@@ -13,6 +13,12 @@ categories:
- google_cloud
- cloud
- observability
+ # Added containers category to match policy template categories (gke template references containers subcategory)
+ - containers
+ # Added datastore category to match policy template categories (CloudSQL templates reference datastore subcategory)
+ - datastore
+ # Added security category to match policy template categories (audit, firewall, and dns templates reference security subcategories like firewall_security and dns_security)
+ - security
conditions:
kibana:
version: "^8.13.0 || ^9.0.0"
diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml
index dc8ca249486..656c84f9adc 100644
--- a/packages/google_workspace/changelog.yml
+++ b/packages/google_workspace/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "2.47.2"
+ changes:
+ - description: Discard events that are missing the `items[]` field during the split operation and are returned as the root object.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/15948
- version: "2.47.1"
changes:
- description: Fix handling of `google_workspace.gmail.message_info.post_delivery_info.interaction.attachment` records.
diff --git a/packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json b/packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json
index ca17f013e9d..701746bfd26 100644
--- a/packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json
+++ b/packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json
@@ -111,4 +111,4 @@
}
}
]
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml
index e73c7fd55b1..06441df852d 100644
--- a/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml
@@ -32,6 +32,10 @@ processors:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- set:
field: event.kind
value: [event]
diff --git a/packages/google_workspace/data_stream/access_transparency/sample_event.json b/packages/google_workspace/data_stream/access_transparency/sample_event.json
index b125659a2d2..b134447ede2 100644
--- a/packages/google_workspace/data_stream/access_transparency/sample_event.json
+++ b/packages/google_workspace/data_stream/access_transparency/sample_event.json
@@ -1,32 +1,32 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "e3f2296a-a4a2-4d03-9105-cee5b37c1408",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "e71ef9cb-072e-48d2-9130-96f1d4bce4d3",
+ "id": "2da80338-c8c6-4300-9470-025fe55de0c1",
+ "name": "elastic-agent-58418",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.access_transparency",
- "namespace": "83912",
+ "namespace": "21501",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "2da80338-c8c6-4300-9470-025fe55de0c1",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
- "created": "2024-08-01T21:50:19.274Z",
+ "created": "2025-11-12T09:20:36.555Z",
"dataset": "google_workspace.access_transparency",
"id": "1",
- "ingested": "2024-08-01T21:50:31Z",
+ "ingested": "2025-11-12T09:20:39Z",
"kind": [
"event"
],
@@ -130,4 +130,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
index 82ec910464d..48c35bf23ca 100644
--- a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
@@ -31,6 +31,10 @@ processors:
- json:
field: event.original
target_field: json
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- set:
field: event.kind
value: event
diff --git a/packages/google_workspace/data_stream/admin/sample_event.json b/packages/google_workspace/data_stream/admin/sample_event.json
index 8c6a46c5406..703f547f666 100644
--- a/packages/google_workspace/data_stream/admin/sample_event.json
+++ b/packages/google_workspace/data_stream/admin/sample_event.json
@@ -1,24 +1,24 @@
{
"@timestamp": "2022-04-04T15:04:05.000Z",
"agent": {
- "ephemeral_id": "e64e710c-e02b-4997-bb7e-83b936dd6aa5",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "14b6ad66-8af9-429d-b327-3fee869369e5",
+ "id": "752f45e8-5f63-4dca-ab63-ec8e8f790d4a",
+ "name": "elastic-agent-14522",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.admin",
- "namespace": "62273",
+ "namespace": "51420",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "752f45e8-5f63-4dca-ab63-ec8e8f790d4a",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "CHANGE_APPLICATION_SETTING",
@@ -27,10 +27,10 @@
"iam",
"configuration"
],
- "created": "2024-08-01T21:51:15.529Z",
+ "created": "2025-11-12T09:21:44.692Z",
"dataset": "google_workspace.admin",
"id": "1",
- "ingested": "2024-08-01T21:51:27Z",
+ "ingested": "2025-11-12T09:21:47Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}],\"type\":\"APPLICATION_SETTINGS\"},\"id\":{\"applicationName\":\"admin\",\"customerId\":\"1\",\"time\":\"2022-04-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "admin",
@@ -117,4 +117,4 @@
}
}
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
index d401882d218..aa717f312d2 100644
--- a/packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
+++ b/packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
@@ -1333,4 +1333,4 @@
]
}
]
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json b/packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json
index 598dad51adc..560d8e9d61a 100644
--- a/packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json
+++ b/packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json
@@ -105,4 +105,4 @@
}
}
]
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml
index fd6481f403b..d21e19108a3 100644
--- a/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml
@@ -32,6 +32,10 @@ processors:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- set:
field: event.kind
value: [event]
diff --git a/packages/google_workspace/data_stream/context_aware_access/sample_event.json b/packages/google_workspace/data_stream/context_aware_access/sample_event.json
index 3f302ad4792..a3acaf57418 100644
--- a/packages/google_workspace/data_stream/context_aware_access/sample_event.json
+++ b/packages/google_workspace/data_stream/context_aware_access/sample_event.json
@@ -1,32 +1,32 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "6fde0a21-1448-4531-a5c9-42751772e3a7",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "01101cd7-b942-4061-8dcf-8488f5b64461",
+ "id": "10bdbb6c-0cff-4af9-866d-64a6bb61e845",
+ "name": "elastic-agent-67948",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.context_aware_access",
- "namespace": "14973",
+ "namespace": "38010",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "10bdbb6c-0cff-4af9-866d-64a6bb61e845",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
- "created": "2024-08-01T21:53:36.823Z",
+ "created": "2025-11-12T09:23:14.570Z",
"dataset": "google_workspace.context_aware_access",
"id": "1",
- "ingested": "2024-08-01T21:53:48Z",
+ "ingested": "2025-11-12T09:23:17Z",
"kind": [
"event"
],
@@ -124,4 +124,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml
index 1a943e8ec75..702c27a275c 100644
--- a/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml
@@ -32,6 +32,10 @@ processors:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- set:
field: event.kind
value: [event]
diff --git a/packages/google_workspace/data_stream/device/sample_event.json b/packages/google_workspace/data_stream/device/sample_event.json
index 6a8898ad3d3..feec7709735 100644
--- a/packages/google_workspace/data_stream/device/sample_event.json
+++ b/packages/google_workspace/data_stream/device/sample_event.json
@@ -1,32 +1,32 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "9875ab07-088d-4ff3-8cfe-daa3a497cf78",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "7aa421c8-d815-4e38-bd60-cb57bc5846b5",
+ "id": "60de190d-6628-47a3-afea-6a73703cb75b",
+ "name": "elastic-agent-72403",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.device",
- "namespace": "89096",
+ "namespace": "60770",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "60de190d-6628-47a3-afea-6a73703cb75b",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
- "created": "2024-08-01T21:54:32.984Z",
+ "created": "2025-11-12T09:24:24.919Z",
"dataset": "google_workspace.device",
"id": "1",
- "ingested": "2024-08-01T21:54:44Z",
+ "ingested": "2025-11-12T09:24:27Z",
"kind": [
"event"
],
@@ -186,4 +186,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log
index b02f8a6768d..d56870d2b19 100644
--- a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log
+++ b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log
@@ -34,3 +34,4 @@
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"publish_change","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"new_publish_visibility","value":"nobody"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"private"},{"name":"old_publish_visibility","value":"public_in_the_domain"}]}}
{"actor":{"email":"[john.doe@example.com](mailto:john.doe@example.com)","profileId":"987654"},"etag":"-xyz1234567890/abcdefg","events":{"name":"email_as_attachment","parameters":[{"name":"target","value":"[jane.smith@example.org](mailto:jane.smith@example.org)"},{"name":"target_user","value":"[manager@example.com](mailto:manager@example.com)"},{"boolValue":true,"name":"primary_event"},{"boolValue":true,"name":"billable"},{"boolValue":false,"name":"owner_is_shared_drive"},{"name":"owner","value":"[admin@example.co](mailto:admin@example.co)"},{"name":"doc_id","value":"doc123-456"},{"name":"doc_type","value":"spreadsheet"},{"boolValue":false,"name":"is_encrypted"},{"name":"doc_title","value":"Quarterly Report"},{"name":"visibility","value":"shared_externally"},{"boolValue":false,"name":"actor_is_collaborator_account"},{"boolValue":false,"name":"owner_is_team_drive"}],"type":"access"},"id":{"applicationName":"drive","customerId":"customer12345","time":"2024-07-29T12:34:56.789Z","uniqueQualifier":"4567890"},"kind":"admin#reports#activity"}
{"actor":{"applicationInfo":{"applicationName":"ToolName","impersonation":true,"oauthClientId":"1111111111111111111111"},"email":"johndoe@acme.com","profileId":"222222222222222222222222"},"etag":"\"ABCABCjsATuh9FxZMWuZ372Q1A9Fq11Q7OMecpK3QDU/QZbJ3HVExjF3JuhAD4Gb91V85Dc\"","events":{"name":"access_item_content","parameters":[{"boolValue":true,"name":"billable"},{"boolValue":true,"name":"primary_event"},{"boolValue":false,"name":"owner_is_shared_drive"},{"name":"owner","value":"johndoe@acme.com"},{"name":"doc_id","value":"abcabcQ3vLf7CmBtwYRpKe2u1WgHNJq0MsdA"},{"name":"doc_type","value":"png"},{"boolValue":false,"name":"is_encrypted"},{"name":"doc_title","value":"file_docname.png"},{"name":"visibility","value":"private"},{"name":"originating_app_id","value":"333333333333"},{"name":"api_method","value":"drive.comments.list"},{"boolValue":false,"name":"actor_is_collaborator_account"},{"boolValue":false,"name":"owner_is_team_drive"}],"resourceIds":["abcabcLf7CmBtwYRpKe2u1WgHNJq0MsdA"],"type":"access"},"id":{"applicationName":"drive","customerId":"abc134abc123","time":"2025-07-25T06:45:36.066Z","uniqueQualifier":"4444444444444444444"},"kind":"admin#reports#activity","resourceDetails":[{"id":"abcabcLf7CmBtwYRpKe2u1WgHNJq0MsdA","relation":"DRIVE_PRIMARY","title":"file_docname.png","type":"DRIVE_ITEM"}]}
+{"etag":"qPverjhbgkl-7y-wjhfuvje_FEvhqerer_Rawg5Fgrg/sfiygsYUGSDJhvsdlJHVBSDKJV9bri7t32N_SHi4bjhcu2nbJh","kind":"admin#reports#activities","nextPageToken":"W3:KUYfvkfjBYUVFHKE7jhbf9cijbf89YYUCBA09cbajdhoy9JBBIhhIUGliugf78UVugi78FUYv8UGi8gkb-ajkbVUKcvfhasjvVJVDSA"}
diff --git a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json
index 5b980a2c9c0..b19b9c97382 100644
--- a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json
+++ b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json
@@ -3310,6 +3310,7 @@
"id": "222222222222222222222222",
"name": "johndoe"
}
- }
+ },
+ null
]
}
diff --git a/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml
index 56a81b7658b..273519a99e8 100644
--- a/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml
@@ -34,6 +34,10 @@ processors:
- json:
field: event.original
target_field: json
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- date:
field: json.id.time
if: ctx.json?.id?.time != null && ctx.json.id.time != ''
@@ -211,7 +215,7 @@ processors:
- rename:
field: google_workspace.drive.target_user
target_field: google_workspace.drive.target
- if: ctx.google_workspace.drive.target == null
+ if: ctx.google_workspace?.drive?.target == null
ignore_missing: true
- set:
field: file.type
diff --git a/packages/google_workspace/data_stream/drive/sample_event.json b/packages/google_workspace/data_stream/drive/sample_event.json
index 359a852bd45..a402a067844 100644
--- a/packages/google_workspace/data_stream/drive/sample_event.json
+++ b/packages/google_workspace/data_stream/drive/sample_event.json
@@ -1,24 +1,24 @@
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
- "ephemeral_id": "afd0c297-d853-427a-96bc-20af38e5b145",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "f63cc477-4c17-460f-8a39-f41fc874d461",
+ "id": "b588c116-db18-4768-9791-d2e179c06bbc",
+ "name": "elastic-agent-51764",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.drive",
- "namespace": "99832",
+ "namespace": "47185",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "b588c116-db18-4768-9791-d2e179c06bbc",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "add_to_folder",
@@ -26,10 +26,10 @@
"category": [
"file"
],
- "created": "2024-08-01T21:55:29.295Z",
+ "created": "2025-11-12T09:25:35.165Z",
"dataset": "google_workspace.drive",
"id": "1",
- "ingested": "2024-08-01T21:55:41Z",
+ "ingested": "2025-11-12T09:25:38Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"add_to_folder\",\"parameters\":[{\"boolValue\":false,\"name\":\"billable\"},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"boolValue\":false,\"name\":\"owner_is_shared_drive\"},{\"boolValue\":true,\"name\":\"primary_event\"},{\"name\":\"visibility\",\"value\":\"people_with_link\"}],\"type\":\"access\"},\"id\":{\"applicationName\":\"drive\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "drive",
@@ -111,4 +111,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/gcp/_dev/test/pipeline/test-gcp.log-expected.json b/packages/google_workspace/data_stream/gcp/_dev/test/pipeline/test-gcp.log-expected.json
index 1e264e312db..b5e0e62615d 100644
--- a/packages/google_workspace/data_stream/gcp/_dev/test/pipeline/test-gcp.log-expected.json
+++ b/packages/google_workspace/data_stream/gcp/_dev/test/pipeline/test-gcp.log-expected.json
@@ -96,4 +96,4 @@
}
}
]
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml
index 722211c65e9..d78157218b8 100644
--- a/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml
@@ -32,6 +32,10 @@ processors:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- set:
field: event.kind
value: [event]
diff --git a/packages/google_workspace/data_stream/gcp/sample_event.json b/packages/google_workspace/data_stream/gcp/sample_event.json
index c5a5bf910ea..9d26a1765a8 100644
--- a/packages/google_workspace/data_stream/gcp/sample_event.json
+++ b/packages/google_workspace/data_stream/gcp/sample_event.json
@@ -1,32 +1,32 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "73bd4e11-03bc-40dc-a0bc-1d9ca1aaa853",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "ea5f2721-a5c8-44f7-9f90-d4e84d70f5ce",
+ "id": "78e1ae1d-8b1a-4ec2-85b0-c613aba4cfe4",
+ "name": "elastic-agent-48565",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.gcp",
- "namespace": "65228",
+ "namespace": "98365",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "78e1ae1d-8b1a-4ec2-85b0-c613aba4cfe4",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "IMPORT_SSH_PUBLIC_KEY",
"agent_id_status": "verified",
- "created": "2024-08-01T21:56:37.313Z",
+ "created": "2025-11-12T09:27:05.101Z",
"dataset": "google_workspace.gcp",
"id": "1",
- "ingested": "2024-08-01T21:56:49Z",
+ "ingested": "2025-11-12T09:27:08Z",
"kind": [
"event"
],
@@ -115,4 +115,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/group_enterprise/_dev/test/pipeline/test-group-enterprise.log-expected.json b/packages/google_workspace/data_stream/group_enterprise/_dev/test/pipeline/test-group-enterprise.log-expected.json
index f83977374db..19cbb8846cb 100644
--- a/packages/google_workspace/data_stream/group_enterprise/_dev/test/pipeline/test-group-enterprise.log-expected.json
+++ b/packages/google_workspace/data_stream/group_enterprise/_dev/test/pipeline/test-group-enterprise.log-expected.json
@@ -115,4 +115,4 @@
}
}
]
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml
index 97026d6fcff..2f09e2a7162 100644
--- a/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml
@@ -32,6 +32,10 @@ processors:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- set:
field: event.kind
value: [event]
diff --git a/packages/google_workspace/data_stream/group_enterprise/sample_event.json b/packages/google_workspace/data_stream/group_enterprise/sample_event.json
index ac732132417..871d77d63a7 100644
--- a/packages/google_workspace/data_stream/group_enterprise/sample_event.json
+++ b/packages/google_workspace/data_stream/group_enterprise/sample_event.json
@@ -1,32 +1,32 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "9405bd92-9ad6-4271-9f8f-10d1dc3bae86",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "fa3bc4f0-f8d5-480f-8a60-8e52dd8da2a4",
+ "id": "cee25b90-4c20-47fa-9206-bdf6781c3784",
+ "name": "elastic-agent-62126",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.group_enterprise",
- "namespace": "26916",
+ "namespace": "82423",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "cee25b90-4c20-47fa-9206-bdf6781c3784",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "add_info_setting",
"agent_id_status": "verified",
- "created": "2024-08-01T21:57:32.529Z",
+ "created": "2025-11-12T09:28:16.086Z",
"dataset": "google_workspace.group_enterprise",
"id": "1",
- "ingested": "2024-08-01T21:57:44Z",
+ "ingested": "2025-11-12T09:28:19Z",
"kind": [
"event"
],
@@ -136,4 +136,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml
index 7d361dee680..5a04403526c 100644
--- a/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml
@@ -37,6 +37,10 @@ processors:
- json:
field: event.original
target_field: json
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- date:
field: json.id.time
if: ctx.json?.id?.time != null && ctx.json.id.time != ''
diff --git a/packages/google_workspace/data_stream/groups/sample_event.json b/packages/google_workspace/data_stream/groups/sample_event.json
index b0adc585ea8..4b091af8b5d 100644
--- a/packages/google_workspace/data_stream/groups/sample_event.json
+++ b/packages/google_workspace/data_stream/groups/sample_event.json
@@ -1,24 +1,24 @@
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
- "ephemeral_id": "786aaf54-461f-4190-adaf-05ab3174ad01",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "ac082999-e2f3-476d-ad3c-70427e9663c0",
+ "id": "8d55ed60-ac39-4451-8c49-411fcb39b5c7",
+ "name": "elastic-agent-94393",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.groups",
- "namespace": "35359",
+ "namespace": "91857",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "8d55ed60-ac39-4451-8c49-411fcb39b5c7",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "change_acl_permission",
@@ -26,10 +26,10 @@
"category": [
"iam"
],
- "created": "2024-08-01T21:58:26.973Z",
+ "created": "2025-11-12T09:29:24.121Z",
"dataset": "google_workspace.groups",
"id": "1",
- "ingested": "2024-08-01T21:58:38Z",
+ "ingested": "2025-11-12T09:29:27Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"multiValue\":[\"managers\",\"members\"],\"name\":\"new_value_repeated\"},{\"multiValue\":[\"managers\"],\"name\":\"old_value_repeated\"}],\"type\":\"acl_change\"},\"id\":{\"applicationName\":\"groups\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "groups",
@@ -111,4 +111,4 @@
}
}
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml
index 289f6f9c5c8..628a7a2c896 100644
--- a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml
@@ -28,6 +28,10 @@ processors:
- json:
field: event.original
target_field: json
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- set:
field: event.kind
value: event
diff --git a/packages/google_workspace/data_stream/login/sample_event.json b/packages/google_workspace/data_stream/login/sample_event.json
index 5af8723bfb8..d401e1601e9 100644
--- a/packages/google_workspace/data_stream/login/sample_event.json
+++ b/packages/google_workspace/data_stream/login/sample_event.json
@@ -1,24 +1,24 @@
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
- "ephemeral_id": "8d5b6a07-b1e1-4397-982f-9223504ae534",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "8b74cdb0-0bd2-4233-91d8-eec966d84bf3",
+ "id": "fc7d0803-69bd-46c3-909c-70199b6eb4b4",
+ "name": "elastic-agent-61498",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.login",
- "namespace": "61171",
+ "namespace": "93794",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "fc7d0803-69bd-46c3-909c-70199b6eb4b4",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "account_disabled_password_leak",
@@ -26,10 +26,10 @@
"category": [
"iam"
],
- "created": "2024-08-01T21:59:36.067Z",
+ "created": "2025-11-12T09:30:46.427Z",
"dataset": "google_workspace.login",
"id": "1",
- "ingested": "2024-08-01T21:59:48Z",
+ "ingested": "2025-11-12T09:30:49Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}],\"type\":\"account_warning\"},\"id\":{\"applicationName\":\"login\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "login",
@@ -98,4 +98,4 @@
"name": "foo"
}
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/rules/_dev/test/pipeline/test-rules.log-expected.json b/packages/google_workspace/data_stream/rules/_dev/test/pipeline/test-rules.log-expected.json
index 0dcb88a338f..48166a0954c 100644
--- a/packages/google_workspace/data_stream/rules/_dev/test/pipeline/test-rules.log-expected.json
+++ b/packages/google_workspace/data_stream/rules/_dev/test/pipeline/test-rules.log-expected.json
@@ -222,4 +222,4 @@
}
}
]
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml
index e2c0d5d8b79..1270097429b 100644
--- a/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml
@@ -28,6 +28,10 @@ processors:
- json:
field: event.original
target_field: json
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- date:
field: json.id.time
if: ctx.json?.id?.time != null && ctx.json.id.time != ''
diff --git a/packages/google_workspace/data_stream/rules/sample_event.json b/packages/google_workspace/data_stream/rules/sample_event.json
index 79dceb524d4..6784f6db931 100644
--- a/packages/google_workspace/data_stream/rules/sample_event.json
+++ b/packages/google_workspace/data_stream/rules/sample_event.json
@@ -1,32 +1,32 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "5c6a871e-fa71-4f56-b30d-46922ca4e836",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "2f135bec-fbd4-4d2e-8eef-ab35e73e56d0",
+ "id": "f0a04289-8933-4e22-b0e3-6a9f6a440f12",
+ "name": "elastic-agent-50837",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.rules",
- "namespace": "88921",
+ "namespace": "14857",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "f0a04289-8933-4e22-b0e3-6a9f6a440f12",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "rule_match",
"agent_id_status": "verified",
- "created": "2024-08-01T22:00:43.194Z",
+ "created": "2025-11-12T09:32:05.597Z",
"dataset": "google_workspace.rules",
"id": "1",
- "ingested": "2024-08-01T22:00:55Z",
+ "ingested": "2025-11-12T09:32:08Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"rule_match\",\"parameters\":[{\"boolValue\":\"true\",\"name\":\"has_alert\"},{\"name\":\"actor_ip_address\",\"value\":\"127.0.0.0\"},{\"intValue\":\"1234\",\"name\":\"resource_recipients_omitted_count\"},{\"multiValue\":[\"managers\"],\"name\":\"rule_name\"},{\"multiIntValue\":[\"12\"],\"name\":\"rule_id\"}],\"type\":\"rule_match_type\"},\"id\":{\"applicationName\":\"rules\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "rules"
@@ -130,4 +130,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml
index 2c9c60a3c5c..79740e22cca 100644
--- a/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml
@@ -40,6 +40,10 @@ processors:
- json:
field: event.original
target_field: json
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- date:
field: json.id.time
if: ctx.json?.id?.time != null && ctx.json.id.time != ''
diff --git a/packages/google_workspace/data_stream/saml/sample_event.json b/packages/google_workspace/data_stream/saml/sample_event.json
index 3d585255026..728e5678be1 100644
--- a/packages/google_workspace/data_stream/saml/sample_event.json
+++ b/packages/google_workspace/data_stream/saml/sample_event.json
@@ -1,24 +1,24 @@
{
"@timestamp": "2021-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "21bc9c22-c07c-4d9e-be7d-d847757ace52",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "1693aa26-5c75-4375-ad3d-3eec4df9c152",
+ "id": "10f5303c-a7b9-427c-bde2-1bc17e1b5f62",
+ "name": "elastic-agent-70610",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.saml",
- "namespace": "42924",
+ "namespace": "79209",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "10f5303c-a7b9-427c-bde2-1bc17e1b5f62",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "login_failure",
@@ -27,10 +27,10 @@
"authentication",
"session"
],
- "created": "2024-08-01T22:01:50.429Z",
+ "created": "2025-11-12T09:33:24.654Z",
"dataset": "google_workspace.saml",
"id": "1",
- "ingested": "2024-08-01T22:02:02Z",
+ "ingested": "2025-11-12T09:33:27Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}],\"type\":\"login\"},\"id\":{\"applicationName\":\"saml\",\"customerId\":\"1\",\"time\":\"2021-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"outcome": "failure",
@@ -99,4 +99,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml
index 66319bafc88..1e7c4f1cfaa 100644
--- a/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml
@@ -32,6 +32,10 @@ processors:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- set:
field: event.kind
value: [event]
diff --git a/packages/google_workspace/data_stream/token/sample_event.json b/packages/google_workspace/data_stream/token/sample_event.json
index 0ec2828b30a..2178fabfb20 100644
--- a/packages/google_workspace/data_stream/token/sample_event.json
+++ b/packages/google_workspace/data_stream/token/sample_event.json
@@ -1,24 +1,24 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "22e6154c-9c10-4cb9-b17b-41f429c22724",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "ad8fd964-2106-456f-b67d-d15f242b974a",
+ "id": "0e4ae03a-fed5-4929-af01-acbf3c28e835",
+ "name": "elastic-agent-54687",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.token",
- "namespace": "16418",
+ "namespace": "51431",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "0e4ae03a-fed5-4929-af01-acbf3c28e835",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "authorize",
@@ -26,10 +26,10 @@
"category": [
"iam"
],
- "created": "2024-08-01T22:03:00.693Z",
+ "created": "2025-11-12T09:34:42.588Z",
"dataset": "google_workspace.token",
"id": "1",
- "ingested": "2024-08-01T22:03:12Z",
+ "ingested": "2025-11-12T09:34:45Z",
"kind": [
"event"
],
@@ -170,4 +170,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml
index 6b11c229d19..c477d7a85b7 100644
--- a/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml
@@ -40,6 +40,10 @@ processors:
- json:
field: event.original
target_field: json
+ - drop:
+ if: ctx.json?.events == null
+ description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+ tag: drop_empty_events
- date:
field: json.id.time
if: ctx.json?.id?.time != null && ctx.json.id.time != ''
diff --git a/packages/google_workspace/data_stream/user_accounts/sample_event.json b/packages/google_workspace/data_stream/user_accounts/sample_event.json
index fe65d4c6302..8f276baedd9 100644
--- a/packages/google_workspace/data_stream/user_accounts/sample_event.json
+++ b/packages/google_workspace/data_stream/user_accounts/sample_event.json
@@ -1,24 +1,24 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "65179230-7468-4b71-9b2b-a2cd4f778866",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "e8229c15-2d86-4ef5-9675-a6083d53576d",
+ "id": "efba0153-8b9d-401d-86ef-045fb5374ab1",
+ "name": "elastic-agent-81708",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.user_accounts",
- "namespace": "10103",
+ "namespace": "36846",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "efba0153-8b9d-401d-86ef-045fb5374ab1",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "2sv_disable",
@@ -26,10 +26,10 @@
"category": [
"iam"
],
- "created": "2024-08-01T22:03:58.977Z",
+ "created": "2025-11-12T09:35:53.826Z",
"dataset": "google_workspace.user_accounts",
"id": "1",
- "ingested": "2024-08-01T22:04:10Z",
+ "ingested": "2025-11-12T09:35:56Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"2sv_disable\",\"type\":\"2sv_change\"},\"id\":{\"applicationName\":\"user_accounts\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "user_accounts",
@@ -90,4 +90,4 @@
"id": "1",
"name": "foo"
}
-}
\ No newline at end of file
+}
diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md
index 8cf069a9889..96d6a4369e7 100644
--- a/packages/google_workspace/docs/README.md
+++ b/packages/google_workspace/docs/README.md
@@ -249,24 +249,24 @@ An example event for `saml` looks as following:
{
"@timestamp": "2021-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "21bc9c22-c07c-4d9e-be7d-d847757ace52",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "1693aa26-5c75-4375-ad3d-3eec4df9c152",
+ "id": "10f5303c-a7b9-427c-bde2-1bc17e1b5f62",
+ "name": "elastic-agent-70610",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.saml",
- "namespace": "42924",
+ "namespace": "79209",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "10f5303c-a7b9-427c-bde2-1bc17e1b5f62",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "login_failure",
@@ -275,10 +275,10 @@ An example event for `saml` looks as following:
"authentication",
"session"
],
- "created": "2024-08-01T22:01:50.429Z",
+ "created": "2025-11-12T09:33:24.654Z",
"dataset": "google_workspace.saml",
"id": "1",
- "ingested": "2024-08-01T22:02:02Z",
+ "ingested": "2025-11-12T09:33:27Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}],\"type\":\"login\"},\"id\":{\"applicationName\":\"saml\",\"customerId\":\"1\",\"time\":\"2021-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"outcome": "failure",
@@ -385,24 +385,24 @@ An example event for `user_accounts` looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "65179230-7468-4b71-9b2b-a2cd4f778866",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "e8229c15-2d86-4ef5-9675-a6083d53576d",
+ "id": "efba0153-8b9d-401d-86ef-045fb5374ab1",
+ "name": "elastic-agent-81708",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.user_accounts",
- "namespace": "10103",
+ "namespace": "36846",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "efba0153-8b9d-401d-86ef-045fb5374ab1",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "2sv_disable",
@@ -410,10 +410,10 @@ An example event for `user_accounts` looks as following:
"category": [
"iam"
],
- "created": "2024-08-01T22:03:58.977Z",
+ "created": "2025-11-12T09:35:53.826Z",
"dataset": "google_workspace.user_accounts",
"id": "1",
- "ingested": "2024-08-01T22:04:10Z",
+ "ingested": "2025-11-12T09:35:56Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"2sv_disable\",\"type\":\"2sv_change\"},\"id\":{\"applicationName\":\"user_accounts\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "user_accounts",
@@ -507,24 +507,24 @@ An example event for `login` looks as following:
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
- "ephemeral_id": "8d5b6a07-b1e1-4397-982f-9223504ae534",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "8b74cdb0-0bd2-4233-91d8-eec966d84bf3",
+ "id": "fc7d0803-69bd-46c3-909c-70199b6eb4b4",
+ "name": "elastic-agent-61498",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.login",
- "namespace": "61171",
+ "namespace": "93794",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "fc7d0803-69bd-46c3-909c-70199b6eb4b4",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "account_disabled_password_leak",
@@ -532,10 +532,10 @@ An example event for `login` looks as following:
"category": [
"iam"
],
- "created": "2024-08-01T21:59:36.067Z",
+ "created": "2025-11-12T09:30:46.427Z",
"dataset": "google_workspace.login",
"id": "1",
- "ingested": "2024-08-01T21:59:48Z",
+ "ingested": "2025-11-12T09:30:49Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}],\"type\":\"account_warning\"},\"id\":{\"applicationName\":\"login\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "login",
@@ -649,32 +649,32 @@ An example event for `rules` looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "5c6a871e-fa71-4f56-b30d-46922ca4e836",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "2f135bec-fbd4-4d2e-8eef-ab35e73e56d0",
+ "id": "f0a04289-8933-4e22-b0e3-6a9f6a440f12",
+ "name": "elastic-agent-50837",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.rules",
- "namespace": "88921",
+ "namespace": "14857",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "f0a04289-8933-4e22-b0e3-6a9f6a440f12",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "rule_match",
"agent_id_status": "verified",
- "created": "2024-08-01T22:00:43.194Z",
+ "created": "2025-11-12T09:32:05.597Z",
"dataset": "google_workspace.rules",
"id": "1",
- "ingested": "2024-08-01T22:00:55Z",
+ "ingested": "2025-11-12T09:32:08Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"rule_match\",\"parameters\":[{\"boolValue\":\"true\",\"name\":\"has_alert\"},{\"name\":\"actor_ip_address\",\"value\":\"127.0.0.0\"},{\"intValue\":\"1234\",\"name\":\"resource_recipients_omitted_count\"},{\"multiValue\":[\"managers\"],\"name\":\"rule_name\"},{\"multiIntValue\":[\"12\"],\"name\":\"rule_id\"}],\"type\":\"rule_match_type\"},\"id\":{\"applicationName\":\"rules\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "rules"
@@ -854,24 +854,24 @@ An example event for `admin` looks as following:
{
"@timestamp": "2022-04-04T15:04:05.000Z",
"agent": {
- "ephemeral_id": "e64e710c-e02b-4997-bb7e-83b936dd6aa5",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "14b6ad66-8af9-429d-b327-3fee869369e5",
+ "id": "752f45e8-5f63-4dca-ab63-ec8e8f790d4a",
+ "name": "elastic-agent-14522",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.admin",
- "namespace": "62273",
+ "namespace": "51420",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "752f45e8-5f63-4dca-ab63-ec8e8f790d4a",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "CHANGE_APPLICATION_SETTING",
@@ -880,10 +880,10 @@ An example event for `admin` looks as following:
"iam",
"configuration"
],
- "created": "2024-08-01T21:51:15.529Z",
+ "created": "2025-11-12T09:21:44.692Z",
"dataset": "google_workspace.admin",
"id": "1",
- "ingested": "2024-08-01T21:51:27Z",
+ "ingested": "2025-11-12T09:21:47Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}],\"type\":\"APPLICATION_SETTINGS\"},\"id\":{\"applicationName\":\"admin\",\"customerId\":\"1\",\"time\":\"2022-04-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "admin",
@@ -1094,24 +1094,24 @@ An example event for `drive` looks as following:
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
- "ephemeral_id": "afd0c297-d853-427a-96bc-20af38e5b145",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "f63cc477-4c17-460f-8a39-f41fc874d461",
+ "id": "b588c116-db18-4768-9791-d2e179c06bbc",
+ "name": "elastic-agent-51764",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.drive",
- "namespace": "99832",
+ "namespace": "47185",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "b588c116-db18-4768-9791-d2e179c06bbc",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "add_to_folder",
@@ -1119,10 +1119,10 @@ An example event for `drive` looks as following:
"category": [
"file"
],
- "created": "2024-08-01T21:55:29.295Z",
+ "created": "2025-11-12T09:25:35.165Z",
"dataset": "google_workspace.drive",
"id": "1",
- "ingested": "2024-08-01T21:55:41Z",
+ "ingested": "2025-11-12T09:25:38Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"add_to_folder\",\"parameters\":[{\"boolValue\":false,\"name\":\"billable\"},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"boolValue\":false,\"name\":\"owner_is_shared_drive\"},{\"boolValue\":true,\"name\":\"primary_event\"},{\"name\":\"visibility\",\"value\":\"people_with_link\"}],\"type\":\"access\"},\"id\":{\"applicationName\":\"drive\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "drive",
@@ -1274,24 +1274,24 @@ An example event for `groups` looks as following:
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
- "ephemeral_id": "786aaf54-461f-4190-adaf-05ab3174ad01",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "ac082999-e2f3-476d-ad3c-70427e9663c0",
+ "id": "8d55ed60-ac39-4451-8c49-411fcb39b5c7",
+ "name": "elastic-agent-94393",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.groups",
- "namespace": "35359",
+ "namespace": "91857",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "8d55ed60-ac39-4451-8c49-411fcb39b5c7",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "change_acl_permission",
@@ -1299,10 +1299,10 @@ An example event for `groups` looks as following:
"category": [
"iam"
],
- "created": "2024-08-01T21:58:26.973Z",
+ "created": "2025-11-12T09:29:24.121Z",
"dataset": "google_workspace.groups",
"id": "1",
- "ingested": "2024-08-01T21:58:38Z",
+ "ingested": "2025-11-12T09:29:27Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"multiValue\":[\"managers\",\"members\"],\"name\":\"new_value_repeated\"},{\"multiValue\":[\"managers\"],\"name\":\"old_value_repeated\"}],\"type\":\"acl_change\"},\"id\":{\"applicationName\":\"groups\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "groups",
@@ -1743,32 +1743,32 @@ An example event for `device` looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "9875ab07-088d-4ff3-8cfe-daa3a497cf78",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "7aa421c8-d815-4e38-bd60-cb57bc5846b5",
+ "id": "60de190d-6628-47a3-afea-6a73703cb75b",
+ "name": "elastic-agent-72403",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.device",
- "namespace": "89096",
+ "namespace": "60770",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "60de190d-6628-47a3-afea-6a73703cb75b",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
- "created": "2024-08-01T21:54:32.984Z",
+ "created": "2025-11-12T09:24:24.919Z",
"dataset": "google_workspace.device",
"id": "1",
- "ingested": "2024-08-01T21:54:44Z",
+ "ingested": "2025-11-12T09:24:27Z",
"kind": [
"event"
],
@@ -2014,32 +2014,32 @@ An example event for `group_enterprise` looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "9405bd92-9ad6-4271-9f8f-10d1dc3bae86",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "fa3bc4f0-f8d5-480f-8a60-8e52dd8da2a4",
+ "id": "cee25b90-4c20-47fa-9206-bdf6781c3784",
+ "name": "elastic-agent-62126",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.group_enterprise",
- "namespace": "26916",
+ "namespace": "82423",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "cee25b90-4c20-47fa-9206-bdf6781c3784",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "add_info_setting",
"agent_id_status": "verified",
- "created": "2024-08-01T21:57:32.529Z",
+ "created": "2025-11-12T09:28:16.086Z",
"dataset": "google_workspace.group_enterprise",
"id": "1",
- "ingested": "2024-08-01T21:57:44Z",
+ "ingested": "2025-11-12T09:28:19Z",
"kind": [
"event"
],
@@ -2203,24 +2203,24 @@ An example event for `token` looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "22e6154c-9c10-4cb9-b17b-41f429c22724",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "ad8fd964-2106-456f-b67d-d15f242b974a",
+ "id": "0e4ae03a-fed5-4929-af01-acbf3c28e835",
+ "name": "elastic-agent-54687",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.token",
- "namespace": "16418",
+ "namespace": "51431",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "0e4ae03a-fed5-4929-af01-acbf3c28e835",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "authorize",
@@ -2228,10 +2228,10 @@ An example event for `token` looks as following:
"category": [
"iam"
],
- "created": "2024-08-01T22:03:00.693Z",
+ "created": "2025-11-12T09:34:42.588Z",
"dataset": "google_workspace.token",
"id": "1",
- "ingested": "2024-08-01T22:03:12Z",
+ "ingested": "2025-11-12T09:34:45Z",
"kind": [
"event"
],
@@ -2422,32 +2422,32 @@ An example event for `access_transparency` looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "e3f2296a-a4a2-4d03-9105-cee5b37c1408",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "e71ef9cb-072e-48d2-9130-96f1d4bce4d3",
+ "id": "2da80338-c8c6-4300-9470-025fe55de0c1",
+ "name": "elastic-agent-58418",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.access_transparency",
- "namespace": "83912",
+ "namespace": "21501",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "2da80338-c8c6-4300-9470-025fe55de0c1",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
- "created": "2024-08-01T21:50:19.274Z",
+ "created": "2025-11-12T09:20:36.555Z",
"dataset": "google_workspace.access_transparency",
"id": "1",
- "ingested": "2024-08-01T21:50:31Z",
+ "ingested": "2025-11-12T09:20:39Z",
"kind": [
"event"
],
@@ -2603,32 +2603,32 @@ An example event for `context_aware_access` looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "6fde0a21-1448-4531-a5c9-42751772e3a7",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "01101cd7-b942-4061-8dcf-8488f5b64461",
+ "id": "10bdbb6c-0cff-4af9-866d-64a6bb61e845",
+ "name": "elastic-agent-67948",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.context_aware_access",
- "namespace": "14973",
+ "namespace": "38010",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "10bdbb6c-0cff-4af9-866d-64a6bb61e845",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
- "created": "2024-08-01T21:53:36.823Z",
+ "created": "2025-11-12T09:23:14.570Z",
"dataset": "google_workspace.context_aware_access",
"id": "1",
- "ingested": "2024-08-01T21:53:48Z",
+ "ingested": "2025-11-12T09:23:17Z",
"kind": [
"event"
],
@@ -2773,32 +2773,32 @@ An example event for `gcp` looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
- "ephemeral_id": "73bd4e11-03bc-40dc-a0bc-1d9ca1aaa853",
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "ea5f2721-a5c8-44f7-9f90-d4e84d70f5ce",
+ "id": "78e1ae1d-8b1a-4ec2-85b0-c613aba4cfe4",
+ "name": "elastic-agent-48565",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "google_workspace.gcp",
- "namespace": "65228",
+ "namespace": "98365",
"type": "logs"
},
"ecs": {
- "version": "8.11.0"
+ "version": "8.16.0"
},
"elastic_agent": {
- "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+ "id": "78e1ae1d-8b1a-4ec2-85b0-c613aba4cfe4",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.18.0"
},
"event": {
"action": "IMPORT_SSH_PUBLIC_KEY",
"agent_id_status": "verified",
- "created": "2024-08-01T21:56:37.313Z",
+ "created": "2025-11-12T09:27:05.101Z",
"dataset": "google_workspace.gcp",
"id": "1",
- "ingested": "2024-08-01T21:56:49Z",
+ "ingested": "2025-11-12T09:27:08Z",
"kind": [
"event"
],
diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml
index 65074322bc9..b2c8ed0b853 100644
--- a/packages/google_workspace/manifest.yml
+++ b/packages/google_workspace/manifest.yml
@@ -1,6 +1,6 @@
name: google_workspace
title: Google Workspace
-version: "2.47.1"
+version: "2.47.2"
source:
license: Elastic-2.0
description: Collect logs from Google Workspace with Elastic Agent.
diff --git a/packages/nvidia_gpu/changelog.yml b/packages/nvidia_gpu/changelog.yml
index 8f694f74bff..10921033671 100644
--- a/packages/nvidia_gpu/changelog.yml
+++ b/packages/nvidia_gpu/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "0.4.1"
+ changes:
+ - description: SSL configuration is not expected to have multiple values.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/16001
- version: "0.4.0"
changes:
- description: |
diff --git a/packages/nvidia_gpu/data_stream/stats/agent/stream/stream.yml.hbs b/packages/nvidia_gpu/data_stream/stats/agent/stream/stream.yml.hbs
index fd1a0e6721d..6ab86d98172 100644
--- a/packages/nvidia_gpu/data_stream/stats/agent/stream/stream.yml.hbs
+++ b/packages/nvidia_gpu/data_stream/stats/agent/stream/stream.yml.hbs
@@ -15,7 +15,7 @@ metrics_filters.include:
{{#each metrics_filters.include}}
- {{this}}
{{/each}}
-{{#if ssl.certificate_authorities}}
+{{#if ssl}}
ssl:
{{ssl}}
{{/if}}
diff --git a/packages/nvidia_gpu/data_stream/stats/manifest.yml b/packages/nvidia_gpu/data_stream/stats/manifest.yml
index bbe208774c0..f23f5b0b63d 100644
--- a/packages/nvidia_gpu/data_stream/stats/manifest.yml
+++ b/packages/nvidia_gpu/data_stream/stats/manifest.yml
@@ -41,7 +41,6 @@ streams:
description: >
Configure SSL for the Prometheus endpoint in YAML format. Use with caution as incorrect settings may cause issues with your configuration.
- multi: true
required: false
show_user: false
- name: username
diff --git a/packages/nvidia_gpu/manifest.yml b/packages/nvidia_gpu/manifest.yml
index 821f47582dd..55667d96503 100644
--- a/packages/nvidia_gpu/manifest.yml
+++ b/packages/nvidia_gpu/manifest.yml
@@ -1,7 +1,7 @@
format_version: 3.2.0
name: nvidia_gpu
title: "NVIDIA GPU Monitoring"
-version: 0.4.0
+version: 0.4.1
source:
license: "Elastic-2.0"
description: "Monitor NVIDIA GPUs via NVIDIA Data Center GPU Manager"
diff --git a/packages/o365/_dev/deploy/docker/config.yml b/packages/o365/_dev/deploy/docker/config.yml
index 9345403edf1..5aa8fca3aa0 100644
--- a/packages/o365/_dev/deploy/docker/config.yml
+++ b/packages/o365/_dev/deploy/docker/config.yml
@@ -214,6 +214,12 @@ rules:
"ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx",
"Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
"CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
+ "ExtendedProperties": [
+ {
+ "Name": "additionalDetails",
+ "Value": "{\"DeviceId\":\"62eedfc0-b73c-206c-a59d-16457c7ebcd8\",\"DeviceOSType\":\"Linux\",\"DeviceTrustType\":\"\"}"
+ }
+ ],
"RecordType": 4
},
{
@@ -236,6 +242,12 @@ rules:
"Operation": "PageViewed",
"Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
"CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
+ "ExtendedProperties": [
+ {
+ "Name": "additionalDetails",
+ "Value": "{\"DeviceId\":\"62eedfc0-b73c-206c-a59d-16457c7ebcd8\",\"DeviceOSType\":\"Linux\",\"DeviceTrustType\":\"\"}"
+ }
+ ],
"ItemType": "Page"
},
{
@@ -258,6 +270,12 @@ rules:
"ClientIP": "213.97.47.133",
"Operation": "PageViewed",
"CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
+ "ExtendedProperties": [
+ {
+ "Name": "additionalDetails",
+ "Value": "{\"DeviceId\":\"62eedfc0-b73c-206c-a59d-16457c7ebcd8\",\"DeviceOSType\":\"Linux\",\"DeviceTrustType\":\"\"}"
+ }
+ ],
"ItemType": "Page"
},
{
diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml
index 111f7fbea5d..12ac9f5f4f0 100644
--- a/packages/o365/changelog.yml
+++ b/packages/o365/changelog.yml
@@ -1,4 +1,12 @@
# newer versions go on top
+- version: "3.0.0"
+ changes:
+ - description: Fix dynamic mapping conflict for `o365audit.ExtendedProperties.additionalDetails` field by explicitly defining it as an object.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/15981
+ - description: The `o365audit.ExtendedProperties.additionalDetails_value` field is no longer retained.
+ type: breaking-change
+ link: https://github.com/elastic/integrations/pull/15981
- version: "2.33.1"
changes:
- description: Reverts earlier `o365.audit.OperationCount` mapping change to ensure that the field remains a long.
diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json
index cfe06a771af..fceafd18191 100644
--- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json
+++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json
@@ -70,8 +70,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -266,8 +265,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -462,8 +460,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -658,8 +655,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -859,8 +855,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -1060,8 +1055,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -1274,8 +1268,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -1488,8 +1481,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -1702,8 +1694,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -1916,8 +1907,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -2130,8 +2120,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -2344,8 +2333,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -2558,8 +2546,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -2772,8 +2759,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -2986,8 +2972,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -3200,8 +3185,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -3414,8 +3398,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -3628,8 +3611,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -3842,8 +3824,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -4038,8 +4019,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -4234,8 +4214,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -4435,8 +4414,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -4631,8 +4609,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -4827,8 +4804,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -5023,8 +4999,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -5224,8 +5199,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -5438,8 +5412,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -5652,8 +5625,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -5866,8 +5838,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -6080,8 +6051,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -6294,8 +6264,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -6508,8 +6477,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -6722,8 +6690,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -6936,8 +6903,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -7149,8 +7115,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -7352,8 +7317,7 @@
"actorObjectId": "00000000-0000-0000-0000-000000000000",
"actorPUID": "100300008060F582",
"actorUPN": "fim_password_service@support.onmicrosoft.com",
- "additionalDetails": "{\"UserType\":\"Member\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"UserType": "Member"
},
"auditEventCategory": "UserManagement",
@@ -7529,8 +7493,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -7734,8 +7697,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -7939,8 +7901,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -8144,8 +8105,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -8358,8 +8318,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -8572,8 +8531,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -8786,8 +8744,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -9000,8 +8957,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -9214,8 +9170,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -9428,8 +9383,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -9642,8 +9596,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -9856,8 +9809,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -10070,8 +10022,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -10284,8 +10235,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -10498,8 +10448,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -10712,8 +10661,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -10925,8 +10873,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -11138,8 +11085,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -11343,8 +11289,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -11548,8 +11493,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -11753,8 +11697,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -11958,8 +11901,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -12172,8 +12114,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -12386,8 +12327,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -12600,8 +12540,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -12814,8 +12753,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]",
@@ -13028,8 +12966,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -13236,8 +13173,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -13444,8 +13380,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -13652,8 +13587,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -13860,8 +13794,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"Application\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -14067,8 +14000,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -14291,8 +14223,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -14515,8 +14446,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -14739,8 +14669,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -14963,8 +14892,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -15150,8 +15078,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -15346,8 +15273,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -15542,8 +15468,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -15743,8 +15668,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -15944,8 +15868,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -16145,8 +16068,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -16341,8 +16263,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -16537,8 +16458,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -16733,8 +16653,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -16934,8 +16853,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -17135,8 +17053,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -17336,8 +17253,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -17550,8 +17466,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -17764,8 +17679,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -17978,8 +17892,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -18192,8 +18105,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -18406,8 +18318,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -18620,8 +18531,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -18834,8 +18744,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]",
@@ -19048,8 +18957,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -19253,8 +19161,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -19458,8 +19365,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]",
@@ -19663,8 +19569,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -19876,8 +19781,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -20089,8 +19993,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"auditEventCategory": "ApplicationManagement",
@@ -20302,8 +20205,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]",
@@ -20513,8 +20415,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]",
@@ -20724,8 +20625,7 @@
"actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b",
"actorPUID": "1003200096971F55",
"actorUPN": "asr@testsiem.onmicrosoft.com",
- "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]",
@@ -20919,8 +20819,7 @@
"AzureActiveDirectoryEventType": "1",
"CreationTime": "2025-10-07T08:22:33",
"ExtendedProperties": {
- "additionalDetails": "{\"DeviceId\":\"62eedfc0-b73c-206c-a59d-16457c7ebcd8\",\"DeviceOSType\":\"Linux\",\"DeviceTrustType\":\"\"}",
- "additionalDetails_value": {
+ "additionalDetails": {
"DeviceId": "62eedfc0-b73c-206c-a59d-16457c7ebcd8",
"DeviceOSType": "Linux"
},
diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
index 52bce7ee571..b0eb19fdd94 100644
--- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -1781,20 +1781,22 @@ processors:
- json:
tag: json-extract-stringly-ExtendedProperties-additionalDetails
field: o365audit.ExtendedProperties.additionalDetails
- target_field: o365audit.ExtendedProperties.additionalDetails_value
if: ctx.o365audit?.ExtendedProperties?.additionalDetails instanceof String
on_failure:
+ - remove:
+ field: o365audit.ExtendedProperties.additionalDetails
+ ignore_missing: true
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- set:
field: device.id
- copy_from: o365audit.ExtendedProperties.additionalDetails_value.DeviceId
- tag: set_device_id_from_additionalDetails_value_DeviceID
+ copy_from: o365audit.ExtendedProperties.additionalDetails.DeviceId
+ tag: set_device_id_from_additionalDetails_DeviceID
ignore_empty_value: true
override: false
- user_agent:
- field: o365audit.ExtendedProperties.additionalDetails_value.User-Agent
+ field: o365audit.ExtendedProperties.additionalDetails.User-Agent
if: ctx.user_agent == null
ignore_missing: true
- set:
diff --git a/packages/o365/data_stream/audit/fields/fields.yml b/packages/o365/data_stream/audit/fields/fields.yml
index 10e83e62590..a36a98acf38 100644
--- a/packages/o365/data_stream/audit/fields/fields.yml
+++ b/packages/o365/data_stream/audit/fields/fields.yml
@@ -344,6 +344,10 @@
type: keyword
- name: ExtendedProperties.RequestType
type: keyword
+ - name: ExtendedProperties.additionalDetails
+ type: object
+ object_type: keyword
+ object_type_mapping_type: '*'
- name: ExtendedProperties.*
type: object
object_type: keyword
diff --git a/packages/o365/data_stream/audit/sample_event.json b/packages/o365/data_stream/audit/sample_event.json
index 48fd9fa3390..9e5e28312d5 100644
--- a/packages/o365/data_stream/audit/sample_event.json
+++ b/packages/o365/data_stream/audit/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2020-02-07T16:43:53.000Z",
"agent": {
- "ephemeral_id": "0fae8f43-555e-442c-8bab-b4d94a242c0c",
- "id": "e4cf7f28-686a-4368-9358-40ff46ad9439",
- "name": "elastic-agent-59484",
+ "ephemeral_id": "d490a7cf-82e9-46a0-b646-a5986c8a80e9",
+ "id": "5e2021d7-c893-4c52-8847-82c00f5b1a8f",
+ "name": "elastic-agent-56140",
"type": "filebeat",
- "version": "8.18.0"
+ "version": "8.19.7"
},
"client": {
"address": "213.97.47.133",
@@ -13,16 +13,19 @@
},
"data_stream": {
"dataset": "o365.audit",
- "namespace": "98158",
+ "namespace": "34703",
"type": "logs"
},
+ "device": {
+ "id": "62eedfc0-b73c-206c-a59d-16457c7ebcd8"
+ },
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "e4cf7f28-686a-4368-9358-40ff46ad9439",
- "snapshot": false,
- "version": "8.18.0"
+ "id": "5e2021d7-c893-4c52-8847-82c00f5b1a8f",
+ "snapshot": true,
+ "version": "8.19.7"
},
"event": {
"action": "PageViewed",
@@ -33,9 +36,9 @@
"code": "SharePoint",
"dataset": "o365.audit",
"id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
- "ingested": "2025-08-19T00:34:05Z",
+ "ingested": "2025-11-19T07:02:50Z",
"kind": "event",
- "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}",
+ "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"ExtendedProperties\":[{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"DeviceId\\\":\\\"62eedfc0-b73c-206c-a59d-16457c7ebcd8\\\",\\\"DeviceOSType\\\":\\\"Linux\\\",\\\"DeviceTrustType\\\":\\\"\\\"}\"}],\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}",
"outcome": "success",
"provider": "OneDrive",
"type": [
@@ -58,6 +61,12 @@
"CreationTime": "2020-02-07T16:43:53",
"CustomUniqueId": true,
"EventSource": "SharePoint",
+ "ExtendedProperties": {
+ "additionalDetails": {
+ "DeviceId": "62eedfc0-b73c-206c-a59d-16457c7ebcd8",
+ "DeviceOSType": "Linux"
+ }
+ },
"ItemType": "Page",
"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875",
"ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx",
diff --git a/packages/o365/docs/README.md b/packages/o365/docs/README.md
index d9721b559ee..bc102b40a8d 100644
--- a/packages/o365/docs/README.md
+++ b/packages/o365/docs/README.md
@@ -103,11 +103,11 @@ An example event for `audit` looks as following:
{
"@timestamp": "2020-02-07T16:43:53.000Z",
"agent": {
- "ephemeral_id": "0fae8f43-555e-442c-8bab-b4d94a242c0c",
- "id": "e4cf7f28-686a-4368-9358-40ff46ad9439",
- "name": "elastic-agent-59484",
+ "ephemeral_id": "d490a7cf-82e9-46a0-b646-a5986c8a80e9",
+ "id": "5e2021d7-c893-4c52-8847-82c00f5b1a8f",
+ "name": "elastic-agent-56140",
"type": "filebeat",
- "version": "8.18.0"
+ "version": "8.19.7"
},
"client": {
"address": "213.97.47.133",
@@ -115,16 +115,19 @@ An example event for `audit` looks as following:
},
"data_stream": {
"dataset": "o365.audit",
- "namespace": "98158",
+ "namespace": "34703",
"type": "logs"
},
+ "device": {
+ "id": "62eedfc0-b73c-206c-a59d-16457c7ebcd8"
+ },
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "e4cf7f28-686a-4368-9358-40ff46ad9439",
- "snapshot": false,
- "version": "8.18.0"
+ "id": "5e2021d7-c893-4c52-8847-82c00f5b1a8f",
+ "snapshot": true,
+ "version": "8.19.7"
},
"event": {
"action": "PageViewed",
@@ -135,9 +138,9 @@ An example event for `audit` looks as following:
"code": "SharePoint",
"dataset": "o365.audit",
"id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
- "ingested": "2025-08-19T00:34:05Z",
+ "ingested": "2025-11-19T07:02:50Z",
"kind": "event",
- "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}",
+ "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"ExtendedProperties\":[{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"DeviceId\\\":\\\"62eedfc0-b73c-206c-a59d-16457c7ebcd8\\\",\\\"DeviceOSType\\\":\\\"Linux\\\",\\\"DeviceTrustType\\\":\\\"\\\"}\"}],\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}",
"outcome": "success",
"provider": "OneDrive",
"type": [
@@ -160,6 +163,12 @@ An example event for `audit` looks as following:
"CreationTime": "2020-02-07T16:43:53",
"CustomUniqueId": true,
"EventSource": "SharePoint",
+ "ExtendedProperties": {
+ "additionalDetails": {
+ "DeviceId": "62eedfc0-b73c-206c-a59d-16457c7ebcd8",
+ "DeviceOSType": "Linux"
+ }
+ },
"ItemType": "Page",
"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875",
"ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx",
@@ -377,6 +386,7 @@ An example event for `audit` looks as following:
| o365.audit.Experience | | keyword |
| o365.audit.ExtendedProperties.\* | | object |
| o365.audit.ExtendedProperties.RequestType | | keyword |
+| o365.audit.ExtendedProperties.additionalDetails | | object |
| o365.audit.ExternalAccess | | boolean |
| o365.audit.FileExtension | | keyword |
| o365.audit.FileSize | | keyword |
diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml
index 8590362f1ae..d606c2791e0 100644
--- a/packages/o365/manifest.yml
+++ b/packages/o365/manifest.yml
@@ -1,6 +1,6 @@
name: o365
title: Microsoft Office 365
-version: "2.33.1"
+version: "3.0.0"
description: Collect logs from Microsoft Office 365 with Elastic Agent.
type: integration
format_version: "3.2.3"
diff --git a/packages/salesforce/_dev/build/docs/README.md b/packages/salesforce/_dev/build/docs/README.md
index fecad95bd90..323400bdd11 100644
--- a/packages/salesforce/_dev/build/docs/README.md
+++ b/packages/salesforce/_dev/build/docs/README.md
@@ -23,12 +23,12 @@ The Salesforce integration collects the following data streams:
The Salesforce integration collects the following events using the Salesforce REST API:
-- [Login EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm)
-- [Login Platform Events](https://developer.salesforce.com/docs/atlas.en-us.236.0.platform_events.meta/platform_events/sforce_api_objects_logineventstream.htm)
-- [Logout EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_logout.htm)
-- [Logout Platform Events](https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/sforce_api_objects_logouteventstream.htm)
-- [Apex EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.238.0.object_reference.meta/object_reference/sforce_api_objects_apexclass.htm)
-- [SetupAuditTrail Object](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_setupaudittrail.htm)
+- [Login EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object\_reference.meta/object\_reference/sforce\_api\_objects\_eventlogfile\_login.htm)
+- [Login Platform Events](https://developer.salesforce.com/docs/atlas.en-us.236.0.platform\_events.meta/platform\_events/sforce\_api\_objects\_logineventstream.htm)
+- [Logout EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object\_reference.meta/object\_reference/sforce\_api\_objects\_eventlogfile\_logout.htm)
+- [Logout Platform Events](https://developer.salesforce.com/docs/atlas.en-us.platform\_events.meta/platform\_events/sforce\_api\_objects\_logouteventstream.htm)
+- [Apex EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.238.0.object\_reference.meta/object\_reference/sforce\_api\_objects\_apexclass.htm)
+- [SetupAuditTrail Object](https://developer.salesforce.com/docs/atlas.en-us.object\_reference.meta/object\_reference/sforce\_api\_objects\_setupaudittrail.htm)
## Compatibility
diff --git a/packages/salesforce/changelog.yml b/packages/salesforce/changelog.yml
index 8c8ec522f08..0c0c000a4d0 100644
--- a/packages/salesforce/changelog.yml
+++ b/packages/salesforce/changelog.yml
@@ -1,4 +1,14 @@
# newer versions go on top
+- version: "1.6.0"
+ changes:
+ - description: Improve documentation
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/16023
+- version: "1.5.0"
+ changes:
+ - description: Improve documentation
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/16011
- version: "1.4.1"
changes:
- description: Fix query cursor for `setupaudittrail`
diff --git a/packages/salesforce/docs/README.md b/packages/salesforce/docs/README.md
index 4c69fedd25d..a0f56d9206f 100644
--- a/packages/salesforce/docs/README.md
+++ b/packages/salesforce/docs/README.md
@@ -23,12 +23,12 @@ The Salesforce integration collects the following data streams:
The Salesforce integration collects the following events using the Salesforce REST API:
-- [Login EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm)
-- [Login Platform Events](https://developer.salesforce.com/docs/atlas.en-us.236.0.platform_events.meta/platform_events/sforce_api_objects_logineventstream.htm)
-- [Logout EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_logout.htm)
-- [Logout Platform Events](https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/sforce_api_objects_logouteventstream.htm)
-- [Apex EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.238.0.object_reference.meta/object_reference/sforce_api_objects_apexclass.htm)
-- [SetupAuditTrail Object](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_setupaudittrail.htm)
+- [Login EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object\_reference.meta/object\_reference/sforce\_api\_objects\_eventlogfile\_login.htm)
+- [Login Platform Events](https://developer.salesforce.com/docs/atlas.en-us.236.0.platform\_events.meta/platform\_events/sforce\_api\_objects\_logineventstream.htm)
+- [Logout EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object\_reference.meta/object\_reference/sforce\_api\_objects\_eventlogfile\_logout.htm)
+- [Logout Platform Events](https://developer.salesforce.com/docs/atlas.en-us.platform\_events.meta/platform\_events/sforce\_api\_objects\_logouteventstream.htm)
+- [Apex EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.238.0.object\_reference.meta/object\_reference/sforce\_api\_objects\_apexclass.htm)
+- [SetupAuditTrail Object](https://developer.salesforce.com/docs/atlas.en-us.object\_reference.meta/object\_reference/sforce\_api\_objects\_setupaudittrail.htm)
## Compatibility
diff --git a/packages/salesforce/manifest.yml b/packages/salesforce/manifest.yml
index e5ec1d856be..4334cc145d3 100644
--- a/packages/salesforce/manifest.yml
+++ b/packages/salesforce/manifest.yml
@@ -1,7 +1,7 @@
format_version: 3.0.2
name: salesforce
title: Salesforce
-version: "1.4.1"
+version: "1.6.0"
description: |
Collect logs from Salesforce instances using the Elastic Agent. This integration enables monitoring and analysis of various Salesforce logs, including Login, Logout, Setup Audit Trail, and Apex execution logs. Gain insights into user activity, security events, and application performance.
type: integration
diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml
index 1cb369db833..a9318d7cbcf 100644
--- a/packages/system/changelog.yml
+++ b/packages/system/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "2.7.2"
+ changes:
+ - description: Fixed parsing of SidList field in Windows Security event 4908 (Special Groups Logon table modified) by normalizing whitespace separators.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/15797
- version: "2.7.1"
changes:
- description: Fix network data stream interface filtering by populating both legacy top-level `interfaces` and nested `network.interfaces` fields.
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json
new file mode 100644
index 00000000000..cbe590774c5
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json
@@ -0,0 +1,46 @@
+{
+ "events": [
+ {
+ "@timestamp": "2020-08-19T06:07:25.0461779Z",
+ "event": {
+ "action": "Audit Policy Change",
+ "code": "4908",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing"
+ },
+ "host": {
+ "name": "WIN-BVM4LI1L1Q6.TEST.local"
+ },
+ "log": {
+ "level": "information"
+ },
+ "labels": {
+ "origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
+ },
+ "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+ "event_data": {
+ "SidList": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}"
+ },
+ "event_id": "4908",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 784,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 140274,
+ "task": "Audit Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json
new file mode 100644
index 00000000000..2a76f919143
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json
@@ -0,0 +1,64 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2020-08-19T06:07:25.0461779Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "special-group-table-changed",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "4908",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "admin",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-BVM4LI1L1Q6.TEST.local"
+ },
+ "labels": {
+ "origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+ "event_data": {
+ "SidList": [
+ "%{S-1-5-32-544}",
+ "%{S-1-5-32-123-54-65}"
+ ],
+ "SidListDesc": [
+ "Administrators",
+ "S-1-5-32-123-54-65"
+ ]
+ },
+ "event_id": "4908",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 784,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "140274",
+ "task": "Audit Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
index cbb0aac5045..bf68d2fc77f 100644
--- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
+++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
@@ -4432,7 +4432,12 @@ processors:
ctx.winlog?.event_data?.OldTargetUserName != null &&
ctx.winlog.event_data.OldTargetUserName != "-"
-
+ - gsub:
+ description: Normalize separators in the SidList value.
+ field: winlog.event_data.SidList
+ pattern: '\s+'
+ replacement: ' '
+ ignore_missing: true
- script:
lang: painless
ignore_failure: false
diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
index 17fe053a008..922c6108b70 100644
--- a/packages/system/manifest.yml
+++ b/packages/system/manifest.yml
@@ -1,7 +1,7 @@
format_version: 3.0.2
name: system
title: System
-version: "2.7.1"
+version: "2.7.2"
description: Collect system logs and metrics from your servers with Elastic Agent.
type: integration
categories:
diff --git a/packages/tenable_sc/changelog.yml b/packages/tenable_sc/changelog.yml
index 0ac0dee962a..e257bf9ed0d 100644
--- a/packages/tenable_sc/changelog.yml
+++ b/packages/tenable_sc/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "1.32.1"
+ changes:
+ - description: Fix handling of vulnerablity documents that do not contain a seeAlso field.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/16014
- version: "1.32.0"
changes:
- description: Prevent updating fleet health status to degraded.
diff --git a/packages/tenable_sc/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log b/packages/tenable_sc/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log
index 4ac24ef475f..6b265172220 100644
--- a/packages/tenable_sc/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log
+++ b/packages/tenable_sc/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log
@@ -3,4 +3,5 @@
{"pluginID":"10114","severity":{"id":"0","name":"Info","description":"Informative"},"hasBeenMitigated":"0","acceptRisk":"0","recastRisk":"0","ip":"10.238.64.1","uuid":"","port":"0","protocol":"ICMP","pluginName":"ICMP Timestamp Request Remote Date Disclosure","firstSeen":"1551284872","lastSeen":"1632586125","exploitAvailable":"No","exploitEase":"","exploitFrameworks":"","synopsis":"It is possible to determine the exact time set on the remote host.","description":"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\n\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.","solution":"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).","seeAlso":"","riskFactor":"None","stigSeverity":"","vprScore":"0.8","vprContext":"[{\"id\":\"age_of_vuln\",\"name\":\"Vulnerability Age\",\"type\":\"string\",\"value\":\"730 days +\"},{\"id\":\"cvssV3_impactScore\",\"name\":\"CVSS v3 Impact Score\",\"type\":\"number\",\"value\":0},{\"id\":\"exploit_code_maturity\",\"name\":\"Exploit Code Maturity\",\"type\":\"string\",\"value\":\"Unproven\"},{\"id\":\"product_coverage\",\"name\":\"Product Coverage\",\"type\":\"string\",\"value\":\"Very High\"},{\"id\":\"threat_intensity_last_28\",\"name\":\"Threat Intensity\",\"type\":\"string\",\"value\":\"Very Low\"},{\"id\":\"threat_recency\",\"name\":\"Threat Recency\",\"type\":\"string\",\"value\":\"No recorded events\"},{\"id\":\"threat_sources_last_28\",\"name\":\"Threat Sources\",\"type\":\"string\",\"value\":\"No recorded events\"}]","baseScore":"0.0","temporalScore":"","cvssVector":"AV:L/AC:L/Au:N/C:N/I:N/A:N","cvssV3BaseScore":"0.0","cvssV3TemporalScore":"","cvssV3Vector":"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N","cpe":"","vulnPubDate":"788961600","patchPubDate":"-1","pluginPubDate":"933508800","pluginModDate":"1570190400","checkType":"remote","version":"1.48","cve":"CVE-1999-0524","bid":"","xref":"CWE #200","pluginText":"The remote clock is synchronized with the local clock.\n","dnsName":"_gateway.lxd","macAddress":"00:16:3e:a1:12:f7","netbiosName":"","operatingSystem":"Linux Kernel 2.6","ips":"10.238.64.1","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","family":{"id":"30","name":"General","type":"active"},"repository":{"id":"1","name":"Live","description":"","sciID":"1","dataFormat":"IPv4"},"pluginInfo":"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure"}
{"pluginID":"128375","severity":{"id":"3","name":"High","description":"High Severity"},"hasBeenMitigated":"0","acceptRisk":"0","recastRisk":"0","ip":"10.238.64.9","uuid":"","port":"0","protocol":"TCP","pluginName":"CentOS 7 : elfutils (CESA-2019:2197)","firstSeen":"1567267631","lastSeen":"1635610340","exploitAvailable":"No","exploitEase":"No known exploits are available","exploitFrameworks":"","synopsis":"The remote CentOS host is missing one or more security updates.","description":"An update for elfutils is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.\n\nThe elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code.\n\nThe following packages have been upgraded to a later upstream version:\nelfutils (0.176). (BZ#1676504)\n\nSecurity Fix(es) :\n\n* elfutils: Heap-based buffer over-read in libdw/ dwarf_getaranges.c:dwarf_getaranges() via crafted file (CVE-2018-16062)\n\n* elfutils: Double-free due to double decompression of sections in crafted ELF causes crash (CVE-2018-16402)\n\n* elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/ dwarf_hasattr.c causes crash (CVE-2018-16403)\n\n* elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl (CVE-2018-18310)\n\n* elfutils: eu-size cannot handle recursive ar files (CVE-2018-18520)\n\n* elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c (CVE-2018-18521)\n\n* elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw (CVE-2019-7149)\n\n* elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c (CVE-2019-7150)\n\n* elfutils: Out of bound write in elf_cvt_note in libelf/note_xlate.h (CVE-2019-7664)\n\n* elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c (CVE-2019-7665)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.","solution":"Update the affected elfutils packages.","seeAlso":"http://www.nessus.org/u?296c7414","riskFactor":"High","stigSeverity":"","vprScore":"5.9","vprContext":"[{\"id\":\"age_of_vuln\",\"name\":\"Vulnerability Age\",\"type\":\"string\",\"value\":\"730 days +\"},{\"id\":\"cvssV3_impactScore\",\"name\":\"CVSS v3 Impact Score\",\"type\":\"number\",\"value\":5.9000000000000004},{\"id\":\"exploit_code_maturity\",\"name\":\"Exploit Code Maturity\",\"type\":\"string\",\"value\":\"Unproven\"},{\"id\":\"product_coverage\",\"name\":\"Product Coverage\",\"type\":\"string\",\"value\":\"Low\"},{\"id\":\"threat_intensity_last_28\",\"name\":\"Threat Intensity\",\"type\":\"string\",\"value\":\"Very Low\"},{\"id\":\"threat_recency\",\"name\":\"Threat Recency\",\"type\":\"string\",\"value\":\"No recorded events\"},{\"id\":\"threat_sources_last_28\",\"name\":\"Threat Sources\",\"type\":\"string\",\"value\":\"No recorded events\"}]","baseScore":"7.5","temporalScore":"5.5","cvssVector":"AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C","cvssV3BaseScore":"9.8","cvssV3TemporalScore":"8.5","cvssV3Vector":"AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","cpe":"p-cpe:/a:centos:centos:elfutils
p-cpe:/a:centos:centos:elfutils-default-yama-scope
p-cpe:/a:centos:centos:elfutils-devel
p-cpe:/a:centos:centos:elfutils-devel-static
p-cpe:/a:centos:centos:elfutils-libelf
p-cpe:/a:centos:centos:elfutils-libelf-devel
p-cpe:/a:centos:centos:elfutils-libelf-devel-static
p-cpe:/a:centos:centos:elfutils-libs
cpe:/o:centos:centos:7","vulnPubDate":"1535544000","patchPubDate":"1567080000","pluginPubDate":"1567166400","pluginModDate":"1577793600","checkType":"local","version":"1.3","cve":"CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7149,CVE-2019-7150,CVE-2019-7664,CVE-2019-7665","bid":"","xref":"RHSA #2019:2197","pluginText":"\nRemote package installed : elfutils-default-yama-scope-0.172-2.el7\nShould be : elfutils-default-yama-scope-0.176-2.el7\n\nRemote package installed : elfutils-libelf-0.172-2.el7\nShould be : elfutils-libelf-0.176-2.el7\n\nRemote package installed : elfutils-libs-0.172-2.el7\nShould be : elfutils-libs-0.176-2.el7\n\n\nNOTE: The security advisory associated with this vulnerability has a\nfixed package version that may only be available in the continuous\nrelease (CR) repository for CentOS, until it is present in the next\npoint release of CentOS.\n\nIf an equal or higher package level does not exist in the baseline\nrepository for your major version of CentOS, then updates from the CR\nrepository will need to be applied in order to address the\nvulnerability.\n","dnsName":"target-cent7.lxd","macAddress":"00:16:3e:5d:7a:71","netbiosName":"","operatingSystem":"Linux Kernel 5.8.0-1035-aws on CentOS Linux release 7.6.1810 (Core)","ips":"10.238.64.9","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","family":{"id":"18","name":"CentOS Local Security Checks","type":"active"},"repository":{"id":"1","name":"Live","description":"","sciID":"1","dataFormat":"IPv4"},"pluginInfo":"128375 (0/6) CentOS 7 : elfutils (CESA-2019:2197)"}
{"pluginID":"135358","severity":{"id":"2","name":"Medium","description":"Medium Severity"},"hasBeenMitigated":"0","acceptRisk":"0","recastRisk":"0","ip":"10.238.64.9","uuid":"","port":"0","protocol":"TCP","pluginName":"CentOS 7 : libxml2 (CESA-2020:1190)","firstSeen":"1616256379","lastSeen":"1635610340","exploitAvailable":"No","exploitEase":"No known exploits are available","exploitFrameworks":"","synopsis":"The remote CentOS Linux host is missing one or more security updates.","description":"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:1190 advisory.\n\n - libxml2: DoS caused by incorrect error detection during XZ decompression (CVE-2015-8035)\n\n - libxml2: Use after free triggered by XPointer paths beginning with range-to (CVE-2016-5131)\n\n - libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c (CVE-2017-15412)\n\n - libxml2: Unrestricted memory usage in xz_head() function in xzlib.c (CVE-2017-18258)\n\n - libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404)\n\n - libxml2: Infinite loop caused by incorrect error detection during LZMA decompression (CVE-2018-14567)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.","solution":"Update the affected packages.","seeAlso":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035\nhttp://www.nessus.org/u?2ed8ea19\nhttps://cwe.mitre.org/data/definitions/252.html\nhttps://cwe.mitre.org/data/definitions/400.html\nhttps://cwe.mitre.org/data/definitions/476.html","riskFactor":"Medium","stigSeverity":"","vprScore":"6.7","vprContext":"[{\"id\":\"age_of_vuln\",\"name\":\"Vulnerability Age\",\"type\":\"string\",\"value\":\"730 days +\"},{\"id\":\"cvssV3_impactScore\",\"name\":\"CVSS v3 Impact Score\",\"type\":\"number\",\"value\":5.9000000000000004},{\"id\":\"exploit_code_maturity\",\"name\":\"Exploit Code Maturity\",\"type\":\"string\",\"value\":\"Unproven\"},{\"id\":\"product_coverage\",\"name\":\"Product Coverage\",\"type\":\"string\",\"value\":\"Very High\"},{\"id\":\"threat_intensity_last_28\",\"name\":\"Threat Intensity\",\"type\":\"string\",\"value\":\"Very Low\"},{\"id\":\"threat_recency\",\"name\":\"Threat Recency\",\"type\":\"string\",\"value\":\"> 365 days\"},{\"id\":\"threat_sources_last_28\",\"name\":\"Threat Sources\",\"type\":\"string\",\"value\":\"No recorded events\"}]","baseScore":"6.8","temporalScore":"5.0","cvssVector":"AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C","cvssV3BaseScore":"8.8","cvssV3TemporalScore":"7.7","cvssV3Vector":"AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","cpe":"p-cpe:/a:centos:centos:libxml2
p-cpe:/a:centos:centos:libxml2-devel
p-cpe:/a:centos:centos:libxml2-python
p-cpe:/a:centos:centos:libxml2-static
cpe:/o:centos:centos:7","vulnPubDate":"1446465600","patchPubDate":"1586347200","pluginPubDate":"1586520000","pluginModDate":"1615896000","checkType":"local","version":"1.4","cve":"CVE-2015-8035,CVE-2016-5131,CVE-2017-15412,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567","bid":"","xref":"RHSA #2020:1190,CWE #252,CWE #400,CWE #476","pluginText":"\nRemote package installed : libxml2-2.9.1-6.el7_2.3\nShould be : libxml2-2.9.1-6.el7.4\n\n\nNOTE: The security advisory associated with this vulnerability has a\nfixed package version that may only be available in the continuous\nrelease (CR) repository for CentOS, until it is present in the next\npoint release of CentOS.\n\nIf an equal or higher package level does not exist in the baseline\nrepository for your major version of CentOS, then updates from the CR\nrepository will need to be applied in order to address the\nvulnerability.\n","dnsName":"target-cent7.lxd","macAddress":"00:16:3e:5d:7a:71","netbiosName":"","operatingSystem":"Linux Kernel 5.8.0-1035-aws on CentOS Linux release 7.6.1810 (Core)","ips":"10.238.64.9","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","family":{"id":"18","name":"CentOS Local Security Checks","type":"active"},"repository":{"id":"1","name":"Live","description":"","sciID":"1","dataFormat":"IPv4"},"pluginInfo":"135358 (0/6) CentOS 7 : libxml2 (CESA-2020:1190)"}
+{"pluginID":"135358","severity":{"id":"2","name":"Medium","description":"Medium Severity"},"hasBeenMitigated":"0","acceptRisk":"0","recastRisk":"0","ip":"10.238.64.9","uuid":"","port":"0","protocol":"TCP","pluginName":"CentOS 7 : libxml2 (CESA-2020:1190)","firstSeen":"1616256379","lastSeen":"1635610340","exploitAvailable":"No","exploitEase":"No known exploits are available","exploitFrameworks":"","synopsis":"The remote CentOS Linux host is missing one or more security updates.","description":"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:1190 advisory.\n\n - libxml2: DoS caused by incorrect error detection during XZ decompression (CVE-2015-8035)\n\n - libxml2: Use after free triggered by XPointer paths beginning with range-to (CVE-2016-5131)\n\n - libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c (CVE-2017-15412)\n\n - libxml2: Unrestricted memory usage in xz_head() function in xzlib.c (CVE-2017-18258)\n\n - libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404)\n\n - libxml2: Infinite loop caused by incorrect error detection during LZMA decompression (CVE-2018-14567)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.","solution":"Update the affected packages.","riskFactor":"Medium","stigSeverity":"","vprScore":"6.7","vprContext":"[{\"id\":\"age_of_vuln\",\"name\":\"Vulnerability Age\",\"type\":\"string\",\"value\":\"730 days +\"},{\"id\":\"cvssV3_impactScore\",\"name\":\"CVSS v3 Impact Score\",\"type\":\"number\",\"value\":5.9000000000000004},{\"id\":\"exploit_code_maturity\",\"name\":\"Exploit Code Maturity\",\"type\":\"string\",\"value\":\"Unproven\"},{\"id\":\"product_coverage\",\"name\":\"Product Coverage\",\"type\":\"string\",\"value\":\"Very High\"},{\"id\":\"threat_intensity_last_28\",\"name\":\"Threat Intensity\",\"type\":\"string\",\"value\":\"Very Low\"},{\"id\":\"threat_recency\",\"name\":\"Threat Recency\",\"type\":\"string\",\"value\":\"> 365 days\"},{\"id\":\"threat_sources_last_28\",\"name\":\"Threat Sources\",\"type\":\"string\",\"value\":\"No recorded events\"}]","baseScore":"6.8","temporalScore":"5.0","cvssVector":"AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C","cvssV3BaseScore":"8.8","cvssV3TemporalScore":"7.7","cvssV3Vector":"AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","cpe":"p-cpe:/a:centos:centos:libxml2
p-cpe:/a:centos:centos:libxml2-devel
p-cpe:/a:centos:centos:libxml2-python
p-cpe:/a:centos:centos:libxml2-static
cpe:/o:centos:centos:7","vulnPubDate":"1446465600","patchPubDate":"1586347200","pluginPubDate":"1586520000","pluginModDate":"1615896000","checkType":"local","version":"1.4","cve":"CVE-2015-8035,CVE-2016-5131,CVE-2017-15412,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567","bid":"","xref":"RHSA #2020:1190,CWE #252,CWE #400,CWE #476","pluginText":"\nRemote package installed : libxml2-2.9.1-6.el7_2.3\nShould be : libxml2-2.9.1-6.el7.4\n\n\nNOTE: The security advisory associated with this vulnerability has a\nfixed package version that may only be available in the continuous\nrelease (CR) repository for CentOS, until it is present in the next\npoint release of CentOS.\n\nIf an equal or higher package level does not exist in the baseline\nrepository for your major version of CentOS, then updates from the CR\nrepository will need to be applied in order to address the\nvulnerability.\n","dnsName":"target-cent7.lxd","macAddress":"00:16:3e:5d:7a:71","netbiosName":"","operatingSystem":"Linux Kernel 5.8.0-1035-aws on CentOS Linux release 7.6.1810 (Core)","ips":"10.238.64.9","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","family":{"id":"18","name":"CentOS Local Security Checks","type":"active"},"repository":{"id":"1","name":"Live","description":"","sciID":"1","dataFormat":"IPv4"},"pluginInfo":"135358 (0/6) CentOS 7 : libxml2 (CESA-2020:1190)"}
{"error_code":0,"error_msg":"","response":{"endOffset":"118000","matchingDataElementCount":"-1","results":[],"returnedRecords":0,"startOffset":"117000","totalRecords":"116095"},"timestamp":1677232486,"type":"regular","warnings":[]}
diff --git a/packages/tenable_sc/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/tenable_sc/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json
index dc7e1eb7b32..adf9cfc7bf8 100644
--- a/packages/tenable_sc/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json
+++ b/packages/tenable_sc/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json
@@ -884,6 +884,212 @@
"severity": "Medium"
}
},
+ {
+ "@timestamp": "2021-10-30T16:12:20.000Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "category": [
+ "threat",
+ "vulnerability"
+ ],
+ "kind": "event",
+ "original": "{\"pluginID\":\"135358\",\"severity\":{\"id\":\"2\",\"name\":\"Medium\",\"description\":\"Medium Severity\"},\"hasBeenMitigated\":\"0\",\"acceptRisk\":\"0\",\"recastRisk\":\"0\",\"ip\":\"10.238.64.9\",\"uuid\":\"\",\"port\":\"0\",\"protocol\":\"TCP\",\"pluginName\":\"CentOS 7 : libxml2 (CESA-2020:1190)\",\"firstSeen\":\"1616256379\",\"lastSeen\":\"1635610340\",\"exploitAvailable\":\"No\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"synopsis\":\"The remote CentOS Linux host is missing one or more security updates.\",\"description\":\"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:1190 advisory.\\n\\n - libxml2: DoS caused by incorrect error detection during XZ decompression (CVE-2015-8035)\\n\\n - libxml2: Use after free triggered by XPointer paths beginning with range-to (CVE-2016-5131)\\n\\n - libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c (CVE-2017-15412)\\n\\n - libxml2: Unrestricted memory usage in xz_head() function in xzlib.c (CVE-2017-18258)\\n\\n - libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404)\\n\\n - libxml2: Infinite loop caused by incorrect error detection during LZMA decompression (CVE-2018-14567)\\n\\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\",\"solution\":\"Update the affected packages.\",\"riskFactor\":\"Medium\",\"stigSeverity\":\"\",\"vprScore\":\"6.7\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":5.9000000000000004},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"> 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"baseScore\":\"6.8\",\"temporalScore\":\"5.0\",\"cvssVector\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C\",\"cvssV3BaseScore\":\"8.8\",\"cvssV3TemporalScore\":\"7.7\",\"cvssV3Vector\":\"AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"cpe\":\"p-cpe:/a:centos:centos:libxml2
p-cpe:/a:centos:centos:libxml2-devel
p-cpe:/a:centos:centos:libxml2-python
p-cpe:/a:centos:centos:libxml2-static
cpe:/o:centos:centos:7\",\"vulnPubDate\":\"1446465600\",\"patchPubDate\":\"1586347200\",\"pluginPubDate\":\"1586520000\",\"pluginModDate\":\"1615896000\",\"checkType\":\"local\",\"version\":\"1.4\",\"cve\":\"CVE-2015-8035,CVE-2016-5131,CVE-2017-15412,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567\",\"bid\":\"\",\"xref\":\"RHSA #2020:1190,CWE #252,CWE #400,CWE #476\",\"pluginText\":\"\\nRemote package installed : libxml2-2.9.1-6.el7_2.3\\nShould be : libxml2-2.9.1-6.el7.4\\n\\n\\nNOTE: The security advisory associated with this vulnerability has a\\nfixed package version that may only be available in the continuous\\nrelease (CR) repository for CentOS, until it is present in the next\\npoint release of CentOS.\\n\\nIf an equal or higher package level does not exist in the baseline\\nrepository for your major version of CentOS, then updates from the CR\\nrepository will need to be applied in order to address the\\nvulnerability.\\n\",\"dnsName\":\"target-cent7.lxd\",\"macAddress\":\"00:16:3e:5d:7a:71\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 5.8.0-1035-aws on CentOS Linux release 7.6.1810 (Core)\",\"ips\":\"10.238.64.9\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"family\":{\"id\":\"18\",\"name\":\"CentOS Local Security Checks\",\"type\":\"active\"},\"repository\":{\"id\":\"1\",\"name\":\"Live\",\"description\":\"\",\"sciID\":\"1\",\"dataFormat\":\"IPv4\"},\"pluginInfo\":\"135358 (0/6) CentOS 7 : libxml2 (CESA-2020:1190)\"}",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "domain": "lxd",
+ "hostname": "target-cent7.lxd",
+ "ip": [
+ "10.238.64.9"
+ ],
+ "mac": [
+ "00-16-3E-5D-7A-71"
+ ],
+ "name": "target-cent7",
+ "os": {
+ "full": "Linux Kernel 5.8.0-1035-aws on CentOS Linux release 7.6.1810 (Core)"
+ }
+ },
+ "network": {
+ "transport": "tcp"
+ },
+ "related": {
+ "hosts": [
+ "target-cent7.lxd",
+ "target-cent7"
+ ],
+ "ip": [
+ "10.238.64.9"
+ ]
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "tenable_sc": {
+ "vulnerability": {
+ "accept_risk": "0",
+ "age": 224,
+ "base_score": "6.8",
+ "check_type": "local",
+ "cpe": [
+ "p-cpe:/a:centos:centos:libxml2",
+ "p-cpe:/a:centos:centos:libxml2-devel",
+ "p-cpe:/a:centos:centos:libxml2-python",
+ "p-cpe:/a:centos:centos:libxml2-static",
+ "cpe:/o:centos:centos:7"
+ ],
+ "custom_hash": "T3/x/zjme2g49ZE/MyCN5NNTqBtvnpByfL6RsUFXwDU=",
+ "cvss_v3_vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
+ "cvss_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C",
+ "dns": {
+ "name": "target-cent7.lxd"
+ },
+ "exploit": {
+ "ease": "No known exploits are available",
+ "is_available": false
+ },
+ "family": {
+ "id": "18",
+ "name": "CentOS Local Security Checks",
+ "type": "active"
+ },
+ "first_seen": "2021-03-20T16:06:19.000Z",
+ "has_been_mitigated": false,
+ "host_uniqueness": "repositoryID,ip,dnsName",
+ "id": "1_10.238.64.9_target-cent7.lxd",
+ "ip": "10.238.64.9",
+ "is_vulnerability_published": true,
+ "last_seen": "2021-10-30T16:12:20.000Z",
+ "mac": "00-16-3E-5D-7A-71",
+ "operating_system": "Linux Kernel 5.8.0-1035-aws on CentOS Linux release 7.6.1810 (Core)",
+ "patch": {
+ "is_published": true,
+ "pub_date": "2020-04-08T12:00:00.000Z"
+ },
+ "plugin": {
+ "id": "135358",
+ "info": "135358 (0/6) CentOS 7 : libxml2 (CESA-2020:1190)",
+ "is_modified": true,
+ "is_published": true,
+ "mod_date": "2021-03-16T12:00:00.000Z",
+ "name": "CentOS 7 : libxml2 (CESA-2020:1190)",
+ "pub_date": "2020-04-10T12:00:00.000Z",
+ "text": "\nRemote package installed : libxml2-2.9.1-6.el7_2.3\nShould be : libxml2-2.9.1-6.el7.4\n\n\nNOTE: The security advisory associated with this vulnerability has a\nfixed package version that may only be available in the continuous\nrelease (CR) repository for CentOS, until it is present in the next\npoint release of CentOS.\n\nIf an equal or higher package level does not exist in the baseline\nrepository for your major version of CentOS, then updates from the CR\nrepository will need to be applied in order to address the\nvulnerability.\n"
+ },
+ "port": "0",
+ "protocol": "TCP",
+ "recast_risk": "0",
+ "repository": {
+ "data_format": "IPv4",
+ "id": "1",
+ "name": "Live",
+ "sci_id": "1"
+ },
+ "risk_factor": "Medium",
+ "severity": {
+ "description": "Medium Severity",
+ "id": "2"
+ },
+ "solution": "Update the affected packages.",
+ "synopsis": "The remote CentOS Linux host is missing one or more security updates.",
+ "temporal_score": "5.0",
+ "uniqueness": "repositoryID,ip,dnsName",
+ "version": "1.4",
+ "vpr": {
+ "context": {
+ "_original": [
+ {
+ "id": "age_of_vuln",
+ "name": "Vulnerability Age",
+ "type": "string",
+ "value": "730 days +"
+ },
+ {
+ "id": "cvssV3_impactScore",
+ "name": "CVSS v3 Impact Score",
+ "type": "number",
+ "value": 5.9
+ },
+ {
+ "id": "exploit_code_maturity",
+ "name": "Exploit Code Maturity",
+ "type": "string",
+ "value": "Unproven"
+ },
+ {
+ "id": "product_coverage",
+ "name": "Product Coverage",
+ "type": "string",
+ "value": "Very High"
+ },
+ {
+ "id": "threat_intensity_last_28",
+ "name": "Threat Intensity",
+ "type": "string",
+ "value": "Very Low"
+ },
+ {
+ "id": "threat_recency",
+ "name": "Threat Recency",
+ "type": "string",
+ "value": "> 365 days"
+ },
+ {
+ "id": "threat_sources_last_28",
+ "name": "Threat Sources",
+ "type": "string",
+ "value": "No recorded events"
+ }
+ ],
+ "age_of_vuln": "730 days +",
+ "cvssV3_impactScore": 5.9,
+ "exploit_code_maturity": "Unproven",
+ "product_coverage": "Very High",
+ "threat_intensity_last_28": "Very Low",
+ "threat_recency": "> 365 days",
+ "threat_sources_last_28": "No recorded events"
+ },
+ "score": 6.7
+ },
+ "vuln_pub_date": "2015-11-02T12:00:00.000Z",
+ "xref": [
+ "RHSA #2020:1190",
+ "CWE #252",
+ "CWE #400",
+ "CWE #476"
+ ]
+ }
+ },
+ "vulnerability": {
+ "category": [
+ "CentOS Local Security Checks"
+ ],
+ "classification": "CVSS",
+ "description": "The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:1190 advisory.\n\n - libxml2: DoS caused by incorrect error detection during XZ decompression (CVE-2015-8035)\n\n - libxml2: Use after free triggered by XPointer paths beginning with range-to (CVE-2016-5131)\n\n - libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c (CVE-2017-15412)\n\n - libxml2: Unrestricted memory usage in xz_head() function in xzlib.c (CVE-2017-18258)\n\n - libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404)\n\n - libxml2: Infinite loop caused by incorrect error detection during LZMA decompression (CVE-2018-14567)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.",
+ "enumeration": "CVE",
+ "id": [
+ "CVE-2015-8035",
+ "CVE-2016-5131",
+ "CVE-2017-15412",
+ "CVE-2017-18258",
+ "CVE-2018-14404",
+ "CVE-2018-14567"
+ ],
+ "scanner": {
+ "vendor": "Tenable"
+ },
+ "score": {
+ "base": 8.8,
+ "temporal": 7.7,
+ "version": "3.0"
+ },
+ "severity": "Medium"
+ }
+ },
null
]
-}
\ No newline at end of file
+}
diff --git a/packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
index 771f05df277..844c56ef855 100644
--- a/packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
@@ -105,10 +105,12 @@ processors:
field: json.seeAlso
target_field: json.seeAlso
separator: '\n'
+ ignore_missing: true
- script:
description: |
This script will add all the cve reference links as well as the reference links provided in the response vunlerability.reference field.
lang: painless
+ if: ctx.json?.seeAlso != null && ctx.json.cve != null
source: >-
Set referenceSet = new HashSet();
if (ctx.json.cve != '') {
diff --git a/packages/tenable_sc/manifest.yml b/packages/tenable_sc/manifest.yml
index 76b75c93322..ab6560efaa5 100644
--- a/packages/tenable_sc/manifest.yml
+++ b/packages/tenable_sc/manifest.yml
@@ -2,7 +2,7 @@ format_version: "3.3.2"
name: tenable_sc
title: Tenable Security Center
# The version must be updated in the input configuration templates as well, in order to set the correct User-Agent header. Until elastic/kibana#121310 is implemented we will have to manually sync these.
-version: "1.32.0"
+version: "1.32.1"
description: |
Collect data from Tenable Security Center with Elastic Agent.
type: integration
diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
index 823d6fdd23e..19e9747c036 100644
--- a/packages/windows/changelog.yml
+++ b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "3.2.3"
+ changes:
+ - description: Fixed parsing of SidList field in Windows Security event 4908 (Special Groups Logon table modified) by normalizing whitespace separators.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/15797
- version: "3.2.2"
changes:
- description: |
diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json
new file mode 100644
index 00000000000..cbe590774c5
--- /dev/null
+++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json
@@ -0,0 +1,46 @@
+{
+ "events": [
+ {
+ "@timestamp": "2020-08-19T06:07:25.0461779Z",
+ "event": {
+ "action": "Audit Policy Change",
+ "code": "4908",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing"
+ },
+ "host": {
+ "name": "WIN-BVM4LI1L1Q6.TEST.local"
+ },
+ "log": {
+ "level": "information"
+ },
+ "labels": {
+ "origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
+ },
+ "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+ "event_data": {
+ "SidList": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}"
+ },
+ "event_id": "4908",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 784,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 140274,
+ "task": "Audit Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json
new file mode 100644
index 00000000000..d18db9b4c5e
--- /dev/null
+++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json
@@ -0,0 +1,70 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2020-08-19T06:07:25.0461779Z",
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "special-group-table-changed",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "4908",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "admin",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-BVM4LI1L1Q6.TEST.local",
+ "os": {
+ "family": "windows",
+ "type": "windows"
+ }
+ },
+ "labels": {
+ "origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+ "event_data": {
+ "SidList": [
+ "",
+ "%{S-1-5-32-544}",
+ "%{S-1-5-32-123-54-65}"
+ ],
+ "SidListDesc": [
+ "",
+ "Administrators",
+ "S-1-5-32-123-54-65"
+ ]
+ },
+ "event_id": "4908",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 784,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "140274",
+ "task": "Audit Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml
index 081cebe11e5..88d05799202 100644
--- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml
+++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml
@@ -3931,7 +3931,12 @@ processors:
ctx.winlog?.event_data?.OldTargetUserName != null &&
ctx.winlog.event_data.OldTargetUserName != "-"
-
+ - gsub:
+ description: Normalize separators in the SidList value.
+ field: winlog.event_data.SidList
+ pattern: '\s+'
+ replacement: ' '
+ ignore_missing: true
- script:
lang: painless
ignore_failure: false
@@ -4260,7 +4265,8 @@ processors:
void splitSidList(def sids, def params, def ctx) {
ArrayList al = new ArrayList();
- def sidList = sids.splitOnToken(" ");
+ def sidsArray = sids.splitOnToken(" ");
+ ArrayList sidList = new ArrayList(Arrays.asList(sidsArray));
ctx.winlog.event_data.put("SidList", sidList);
for (def i = 0; i < sidList.length; i++ ) {
al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params));
diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
index 063c49ee1b6..e689d82c095 100644
--- a/packages/windows/manifest.yml
+++ b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
name: windows
title: Windows
-version: 3.2.2
+version: 3.2.3
description: Collect logs and metrics from Windows OS and services with Elastic Agent.
type: integration
categories: