diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index d91fe5300a4..0bc8a980149 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -152,6 +152,9 @@ /packages/elastic_agent @elastic/elastic-agent /packages/elastic_package_registry @elastic/ecosystem /packages/elasticsearch @elastic/stack-monitoring +/packages/endace @elastic/sec-deployment-and-devices @elastic/sec-linux-platform +/packages/endace/data_stream/flow @elastic/sec-linux-platform +/packages/endace/data_stream/log @elastic/sec-deployment-and-devices /packages/enterprisesearch @elastic/stack-monitoring /packages/entityanalytics_ad @elastic/security-service-integrations /packages/entityanalytics_entra_id @elastic/security-service-integrations diff --git a/packages/endace/LICENSE.txt b/packages/endace/LICENSE.txt new file mode 100644 index 00000000000..809108b857f --- /dev/null +++ b/packages/endace/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/endace/_dev/build/build.yml b/packages/endace/_dev/build/build.yml new file mode 100755 index 00000000000..71f48ba2a9c --- /dev/null +++ b/packages/endace/_dev/build/build.yml @@ -0,0 +1,4 @@ +dependencies: + ecs: + reference: "git@v8.11.0" + import_mappings: true diff --git a/packages/endace/_dev/build/docs/README.md b/packages/endace/_dev/build/docs/README.md new file mode 100644 index 00000000000..d1a792f65de --- /dev/null +++ b/packages/endace/_dev/build/docs/README.md @@ -0,0 +1,187 @@ +# Endace + +Endace is a company known for its network recording, traffic capture, and analysis technology. Endace's solutions are often used for network security, performance monitoring, and troubleshooting. +This integration allows users to ingest Network flow data from either Endace Flow via syslog input or use Elastic Agent to generate and ship Network Flow data to an Elastic deployment. Both of these methods add the `event.reference` field to each event when ingested into Elasticsearch which is a URL used to pivot to Endace. + + +## Additional Setup + +### Dataview +Once the integration is deployed, in order for the pivot link to be clickable to format for the `event.reference` field needs to be set, this can be done via Kibana Dev Tools and making the following request: +``` +POST kbn:/api/data_views/data_view/logs-*/fields +{ + "fields": { + "event.reference": { + "format":{ + "id": "url" + } + } + } +} +``` + +### IP Reputation +When in Elastic Security users are able to quickly lookup information about IPs from external services, to add Endace as an IP Reputation lookup service run the following in Kibana Dev Tools. Ensure to replace `` with your Endace appliance URL. + +``` +POST kbn:/api/kibana/settings +{"changes":{"securitySolution:ipReputationLinks": """[ + { "name": "Endace", "url_template": "https:///vision2/v1/pivotintovision/?datasources=tag:all&title=Untitled&reltime=12h&sip={{`{{ip}}`}}&tools=conversations_by_ipaddress" }, + { "name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{`{{ip}}`}}" }, + { "name": "talosIntelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{`{{ip}}`}}" } +]"""}} +``` + + +## Integration Variables +#### `endace_url` +The base URL for Endace UI. Example: https://myvprobe.com + +#### `endace_datasources` +The datasource within Endace to pivot to. Example: tag:rotation-file + +#### `endace_tools` +The tools to use within the Endace Pivot. Example: trafficOverTime_by_app,conversations_by_ipaddress + + +#### `endace_lookback` +The lookback time in Minutes of how long to look back over ontop of the event start and finish time. + +## Endace Flow +#### `map_to_ecs` + +Remap any non-ECS Packetbeat fields in root to their correct ECS fields. +This will rename fields that are moved so the fields will not be present +at the root of the document and so any rules that depend on the fields +will need to be updated. + +The legacy behaviour of this option is to not remap to ECS. This behaviour +is still the default, but is deprecated and users are encouraged to set +this option to true. + +ECS remapping may have an impact on workflows that depend on the identity +of non-ECS fields, and users should assess their use of these fields before +making the change. Users who need to retain data collected with the legacy +mappings may need to re-index their older documents. Instructions for doing +this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +The pipeline used to perform ECS remapping for each data stream can be found +in `Stack Management`›`Ingest Pipelines` and and searching for +"logs-network_traffic compatibility". + +The deprecation and retirement timeline for legacy behavior is available +[here](https://github.com/elastic/integrations/issues/8185). + +#### `enabled` + +The enabled setting is a boolean setting to enable or disable protocols +without having to comment out configuration sections. If set to false, +the protocol is disabled. + +The default value is true. + +#### `ports` + +Exception: For ICMP the option `enabled` has to be used instead. + +The ports where Network Packet Capture will look to capture traffic for specific +protocols. Network Packet Capture installs a +[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based +on the ports specified in this section. If a packet doesn’t match the +filter, very little CPU is required to discard the packet. Network Packet Capture +also uses the ports specified here to determine which parser to use for +each packet. + +#### `monitor_processes` + +If this option is enabled then network traffic events will be enriched +with information about the process associated with the events. + +The default value is false. + +#### `send_request` + +If this option is enabled, the raw message of the request (`request` +field) is sent to Elasticsearch. The default is false. This option is +useful when you want to index the whole request. Note that for HTTP, the +body is not included by default, only the HTTP headers. + +#### `send_response` + +If this option is enabled, the raw message of the response (`response` +field) is sent to Elasticsearch. The default is false. This option is +useful when you want to index the whole response. Note that for HTTP, +the body is not included by default, only the HTTP headers. + +#### `transaction_timeout` + +The per protocol transaction timeout. Expired transactions will no +longer be correlated to incoming responses, but sent to Elasticsearch +immediately. + +#### `tags` + +A list of tags that will be sent with the transaction event. This +setting is optional. + +#### `processors` + +A list of processors to apply to the data generated by the protocol. + +#### `keep_null` + +If this option is set to true, fields with `null` values will be +published in the output document. By default, `keep_null` is set to +`false`. + + +## Network Flows + +Overall flow information about the network connections on a +host. + +You can configure Network Packet Capture to collect and report statistics +on network flows. A *flow* is a group of packets sent over the same time +period that share common properties, such as the same source and destination +address and protocol. You can use this feature to analyze network +traffic over specific protocols on your network. + +For each flow, Network Packet Capture reports the number of packets and the +total number of bytes sent from the source to the destination. Each flow event +also contains information about the source and destination hosts, such +as their IP address. For bi-directional flows, Network Packet Capture reports +statistics for the reverse flow. + +Network Packet Capture collects and reports statistics up to and including the +transport layer. + +**Configuration options** + +You can specify the following options for capturing flows. + +#### `enabled` + +Enables flows support if set to true. Set to false to disable network +flows support without having to delete or comment out the flows section. +The default value is true. + +#### `timeout` + +Timeout configures the lifetime of a flow. If no packets have been +received for a flow within the timeout time window, the flow is killed +and reported. The default value is 30s. + +#### `period` + +Configure the reporting interval. All flows are reported at the very +same point in time. Periodical reporting can be disabled by setting the +value to -1. If disabled, flows are still reported once being timed out. +The default value is 10s. + +{{fields "flow"}} + +{{event "flow"}} + +## Licensing for Windows Systems + +The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/endace/_dev/deploy/docker/docker-compose.yml b/packages/endace/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..2bd8a11a137 --- /dev/null +++ b/packages/endace/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,13 @@ +version: "2.3" +services: + endace: + image: alpine + volumes: + - ./pcaps:/sample_pcaps:ro + - ${SERVICE_LOGS_DIR}:/pcaps + command: /bin/sh -c "cp /sample_pcaps/* /pcaps/" + netflow-log-netflow: + image: docker.elastic.co/observability/stream:v0.16.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: pcap --start-signal=SIGHUP --delay=5s --addr elastic-agent:2055 -p=udp /sample_logs/ipfix_cisco.pcap diff --git a/packages/endace/_dev/deploy/docker/pcaps/amqp_channel_error.pcap b/packages/endace/_dev/deploy/docker/pcaps/amqp_channel_error.pcap new file mode 100644 index 00000000000..313bb20e092 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/amqp_channel_error.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/amqp_emit_receive.pcap b/packages/endace/_dev/deploy/docker/pcaps/amqp_emit_receive.pcap new file mode 100644 index 00000000000..b9ce70e23d2 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/amqp_emit_receive.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/amqp_publish.pcap b/packages/endace/_dev/deploy/docker/pcaps/amqp_publish.pcap new file mode 100644 index 00000000000..ed1fb00b6b4 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/amqp_publish.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_index.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_index.pcap new file mode 100644 index 00000000000..5ea3accfc93 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_index.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_keyspace.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_keyspace.pcap new file mode 100644 index 00000000000..116cb24510e Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_keyspace.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_table.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_table.pcap new file mode 100644 index 00000000000..adc90767d8e Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_table.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_insert.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_insert.pcap new file mode 100644 index 00000000000..74c6ba51da3 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/cassandra_insert.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_mixed_frame.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_mixed_frame.pcap new file mode 100644 index 00000000000..a0417059a94 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/cassandra_mixed_frame.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_select.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_select.pcap new file mode 100644 index 00000000000..3181a4b938f Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/cassandra_select.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_select_via_index.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_select_via_index.pcap new file mode 100644 index 00000000000..48600359852 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/cassandra_select_via_index.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_trace_err.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_trace_err.pcap new file mode 100644 index 00000000000..8d006781352 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/cassandra_trace_err.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dhcp.pcap b/packages/endace/_dev/deploy/docker/pcaps/dhcp.pcap new file mode 100644 index 00000000000..a42d6102e8a Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dhcp.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_additional.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_additional.pcap new file mode 100644 index 00000000000..0e8962e9a3e Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dns_additional.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_google_com.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_google_com.pcap new file mode 100644 index 00000000000..15aea7e9776 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dns_google_com.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_mx.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_mx.pcap new file mode 100644 index 00000000000..958f38e1349 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dns_mx.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_not_found.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_not_found.pcap new file mode 100644 index 00000000000..07dc1169e4d Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dns_not_found.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_ns.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_ns.pcap new file mode 100644 index 00000000000..c4b1761c474 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dns_ns.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_tcp_axfr.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_tcp_axfr.pcap new file mode 100644 index 00000000000..0291cbf166d Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dns_tcp_axfr.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_txt.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_txt.pcap new file mode 100644 index 00000000000..e9916bdb02b Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dns_txt.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_udp_edns_ds.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_udp_edns_ds.pcap new file mode 100644 index 00000000000..7e16154ea33 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/dns_udp_edns_ds.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_10_connection_close.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_10_connection_close.pcap new file mode 100644 index 00000000000..52291053c2b Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_10_connection_close.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_basicauth.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_basicauth.pcap new file mode 100644 index 00000000000..e84969977dd Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_basicauth.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_get_2k_file.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_get_2k_file.pcap new file mode 100644 index 00000000000..7f0d8069778 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_get_2k_file.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_minitwit.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_minitwit.pcap new file mode 100644 index 00000000000..c096cfab468 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_minitwit.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_over_vlan.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_over_vlan.pcap new file mode 100644 index 00000000000..4c6444707c4 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_over_vlan.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_post.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_post.pcap new file mode 100644 index 00000000000..828c55c3d6b Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_post.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_post_json.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_post_json.pcap new file mode 100644 index 00000000000..0f66d0d58bd Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_post_json.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_realip.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_realip.pcap new file mode 100644 index 00000000000..ea63f90676e Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_realip.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_url_params.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_url_params.pcap new file mode 100644 index 00000000000..96682ef7de0 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_url_params.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_x_forwarded_for.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_x_forwarded_for.pcap new file mode 100644 index 00000000000..19f081c54a2 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/http_x_forwarded_for.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping.pcap new file mode 100644 index 00000000000..9d7d170cade Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping_over_vlan.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping_over_vlan.pcap new file mode 100644 index 00000000000..c193d65a5d1 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping_over_vlan.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping.pcap new file mode 100644 index 00000000000..db86b0bbebd Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping_over_vlan.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping_over_vlan.pcap new file mode 100644 index 00000000000..93a5aab3297 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping_over_vlan.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp_2_pings.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp_2_pings.pcap new file mode 100644 index 00000000000..fe30ecd7c1c Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/icmp_2_pings.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_counter_ops.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_counter_ops.pcap new file mode 100644 index 00000000000..0a837497b95 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_counter_ops.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_delete.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_delete.pcap new file mode 100644 index 00000000000..b3d926b0e11 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_delete.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_multi_store_load.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_multi_store_load.pcap new file mode 100644 index 00000000000..429ac9fd61a Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_multi_store_load.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_single_load_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_single_load_store.pcap new file mode 100644 index 00000000000..14e1cbd9528 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_single_load_store.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_stats.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_stats.pcap new file mode 100644 index 00000000000..35be732dcb9 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_stats.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_counter_ops.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_counter_ops.pcap new file mode 100644 index 00000000000..b73c376f90a Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_counter_ops.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_delete.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_delete.pcap new file mode 100644 index 00000000000..a375a7d67c9 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_delete.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_multi_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_multi_store.pcap new file mode 100644 index 00000000000..6db50f7dd15 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_multi_store.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_single_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_single_store.pcap new file mode 100644 index 00000000000..25ab8e29a93 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_single_store.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_counter_ops.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_counter_ops.pcap new file mode 100644 index 00000000000..cf9c7ebaf41 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_counter_ops.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_delete.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_delete.pcap new file mode 100644 index 00000000000..c9ab73881ea Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_delete.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_multi_store_load.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_multi_store_load.pcap new file mode 100644 index 00000000000..787fd01398b Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_multi_store_load.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_single_load_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_single_load_store.pcap new file mode 100644 index 00000000000..b1841cb021f Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_single_load_store.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_stats.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_stats.pcap new file mode 100644 index 00000000000..cec7be1e83c Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_stats.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_counter_ops.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_counter_ops.pcap new file mode 100644 index 00000000000..bd7edd98bb5 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_counter_ops.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_delete.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_delete.pcap new file mode 100644 index 00000000000..dc297e2fc9a Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_delete.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_multi_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_multi_store.pcap new file mode 100644 index 00000000000..c01a8b6c5b4 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_multi_store.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_single_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_single_store.pcap new file mode 100644 index 00000000000..64ea99763f0 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_single_store.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongo_3.0_session.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongo_3.0_session.pcap new file mode 100644 index 00000000000..8402939917a Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongo_3.0_session.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongo_one_row.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongo_one_row.pcap new file mode 100644 index 00000000000..95fc218e516 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongo_one_row.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_create_collection.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_create_collection.pcap new file mode 100644 index 00000000000..c76614b7f48 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongodb_create_collection.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_find.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_find.pcap new file mode 100644 index 00000000000..c2aa5823ff7 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongodb_find.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_insert_duplicate_key.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_insert_duplicate_key.pcap new file mode 100644 index 00000000000..949d0725120 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongodb_insert_duplicate_key.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_inserts.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_inserts.pcap new file mode 100644 index 00000000000..5212ff70ae8 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongodb_inserts.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_more_rows.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_more_rows.pcap new file mode 100644 index 00000000000..f47a5eee1b7 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongodb_more_rows.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_reply_request_reply.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_reply_request_reply.pcap new file mode 100644 index 00000000000..9f5ffb5555f Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongodb_reply_request_reply.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_use_db.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_use_db.pcap new file mode 100644 index 00000000000..ec141770edd Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mongodb_use_db.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_affected_rows.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_affected_rows.pcap new file mode 100644 index 00000000000..f4a3da9fcb6 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mysql_affected_rows.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_connection.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_connection.pcap new file mode 100644 index 00000000000..ee837032828 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mysql_connection.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_err_database_not_selected.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_err_database_not_selected.pcap new file mode 100644 index 00000000000..524b8021916 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mysql_err_database_not_selected.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_long.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_long.pcap new file mode 100644 index 00000000000..8bb52ff8e28 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mysql_long.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_long_result.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_long_result.pcap new file mode 100644 index 00000000000..949fba198a4 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mysql_long_result.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_windows_lineending.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_windows_lineending.pcap new file mode 100644 index 00000000000..c6219bc12a4 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mysql_windows_lineending.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_with_whitespaces.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_with_whitespaces.pcap new file mode 100644 index 00000000000..f22a93b503a Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/mysql_with_whitespaces.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfs4_close.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfs4_close.pcap new file mode 100644 index 00000000000..ffac7b3f0e5 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/nfs4_close.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfs_v3.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfs_v3.pcap new file mode 100644 index 00000000000..fa489c8b5d3 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/nfs_v3.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfs_v4.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfs_v4.pcap new file mode 100644 index 00000000000..5fabb74fd22 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/nfs_v4.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfsv42_clone.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfsv42_clone.pcap new file mode 100644 index 00000000000..2ebea37a37a Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/nfsv42_clone.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfsv42_layoutstats.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfsv42_layoutstats.pcap new file mode 100644 index 00000000000..04eaa4e97a0 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/nfsv42_layoutstats.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_extended_query.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_extended_query.pcap new file mode 100644 index 00000000000..559dadbf49a Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/pgsql_extended_query.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert.pcap new file mode 100644 index 00000000000..90276307f8f Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert_error.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert_error.pcap new file mode 100644 index 00000000000..976737f921e Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert_error.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_long_result.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_long_result.pcap new file mode 100644 index 00000000000..cf73fa4ee04 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/pgsql_long_result.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_request_response.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_request_response.pcap new file mode 100644 index 00000000000..1754020f2fc Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/pgsql_request_response.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_rt.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_rt.pcap new file mode 100644 index 00000000000..764f399252c Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/pgsql_rt.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/redis_one_transaction.pcap b/packages/endace/_dev/deploy/docker/pcaps/redis_one_transaction.pcap new file mode 100644 index 00000000000..8f8d21733eb Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/redis_one_transaction.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/redis_session.pcap b/packages/endace/_dev/deploy/docker/pcaps/redis_session.pcap new file mode 100644 index 00000000000..b848d025c73 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/redis_session.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/sip.pcap b/packages/endace/_dev/deploy/docker/pcaps/sip.pcap new file mode 100644 index 00000000000..7ec19fb525b Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/sip.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/sip_authenticated_register.pcap b/packages/endace/_dev/deploy/docker/pcaps/sip_authenticated_register.pcap new file mode 100644 index 00000000000..25f10e5cf88 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/sip_authenticated_register.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/thrift_integration.pcap b/packages/endace/_dev/deploy/docker/pcaps/thrift_integration.pcap new file mode 100644 index 00000000000..c90352b31cb Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/thrift_integration.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/thrift_tutorial.pcap b/packages/endace/_dev/deploy/docker/pcaps/thrift_tutorial.pcap new file mode 100644 index 00000000000..503469569ab Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/thrift_tutorial.pcap differ diff --git a/packages/endace/_dev/deploy/docker/pcaps/tls-version-13.pcap b/packages/endace/_dev/deploy/docker/pcaps/tls-version-13.pcap new file mode 100644 index 00000000000..ddbe3482844 Binary files /dev/null and b/packages/endace/_dev/deploy/docker/pcaps/tls-version-13.pcap differ diff --git a/packages/endace/_dev/deploy/docker/sample_logs/ipfix_cisco.pcap b/packages/endace/_dev/deploy/docker/sample_logs/ipfix_cisco.pcap new file mode 100644 index 00000000000..365e936d2ea Binary files /dev/null and b/packages/endace/_dev/deploy/docker/sample_logs/ipfix_cisco.pcap differ diff --git a/packages/endace/changelog.yml b/packages/endace/changelog.yml new file mode 100644 index 00000000000..fc8030cfebb --- /dev/null +++ b/packages/endace/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/10308 diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json new file mode 100644 index 00000000000..a50f34cefb3 --- /dev/null +++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json @@ -0,0 +1,2522 @@ +{ + "events": [ + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "type": "packetbeat", + "version": "8.9.1" + }, + "destination": { + "port": 48866, + "bytes": 1317, + "ip": "127.0.0.1", + "packets": 12 + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 6789, + "bytes": 1108, + "ip": "127.0.0.1", + "packets": 14 + }, + "type": "flow", + "network": { + "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=", + "bytes": 2425, + "transport": "tcp", + "type": "ipv4", + "packets": 26 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 64831956254, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:39.852Z", + "action": "network_flow", + "end": "2024-07-01T10:49:44.684Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4" + }, + "_conf": { + "event": { + "start": 1719827319, + "end": 1719827384 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 680, + "ip": "81.2.69.144", + "packets": 10 + }, + "source": { + "port": 56370, + "bytes": 5211, + "ip": "10.100.0.29", + "packets": 10 + }, + "type": "flow", + "network": { + "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=", + "bytes": 5891, + "transport": "tcp", + "type": "ipv4", + "packets": 20 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "machine": { + "type": "t2d-standard-1" + }, + "service": { + "name": "GCE" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "observer": { + "hostname": "webserver", + "mac": [ + "42-01-0A-64-00-1D" + ], + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ] + }, + "event": { + "duration": 60223908451, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:39.852Z", + "action": "network_flow", + "end": "2024-07-01T10:49:40.076Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE" + }, + "_conf": { + "map_to_ecs": true, + "geoip_enrich": true, + "event": { + "start": 1719827319, + "end": 1719827380 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 9672, + "ip": "81.2.69.144", + "packets": 45 + }, + "source": { + "port": 60098, + "bytes": 547639, + "ip": "10.100.0.29", + "packets": 66 + }, + "type": "flow", + "network": { + "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=", + "bytes": 557311, + "transport": "tcp", + "type": "ipv4", + "packets": 111 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 60736169344, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:40.363Z", + "action": "network_flow", + "end": "2024-07-01T10:49:41.100Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827320, + "end": 1719827381 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 1954, + "ip": "81.2.69.144", + "packets": 6 + }, + "source": { + "port": 55960, + "bytes": 7775, + "ip": "10.100.0.29", + "packets": 7 + }, + "type": "flow", + "network": { + "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=", + "bytes": 9729, + "transport": "tcp", + "type": "ipv4", + "packets": 13 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "machine": { + "type": "t2d-standard-1" + }, + "service": { + "name": "GCE" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 60735918914, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:40.364Z", + "action": "network_flow", + "end": "2024-07-01T10:49:41.100Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827320, + "end": 1719827381 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "destination": { + "port": 6789, + "bytes": 1176, + "ip": "127.0.0.1", + "packets": 15 + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 48904, + "bytes": 1479, + "ip": "127.0.0.1", + "packets": 12 + }, + "type": "flow", + "network": { + "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=", + "bytes": 2655, + "transport": "tcp", + "type": "ipv4", + "packets": 27 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 65343896149, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:40.364Z", + "action": "network_flow", + "end": "2024-07-01T10:49:45.708Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827320, + "end": 1719827385 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "type": "packetbeat", + "version": "8.9.1" + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 7821, + "ip": "81.2.69.144", + "packets": 30 + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 45176, + "bytes": 332993, + "ip": "10.100.0.29", + "packets": 49 + }, + "type": "flow", + "network": { + "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=", + "bytes": 340814, + "transport": "tcp", + "type": "ipv4", + "packets": 79 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 59712159075, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:41.388Z", + "action": "network_flow", + "end": "2024-07-01T10:49:41.100Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827321, + "end": 1719827381 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 5471, + "ip": "81.2.69.144", + "packets": 20 + }, + "source": { + "port": 56928, + "bytes": 23897, + "ip": "10.100.0.29", + "packets": 21 + }, + "type": "flow", + "network": { + "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=", + "bytes": 29368, + "transport": "tcp", + "type": "ipv4", + "packets": 41 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "containerized": false, + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 66879956683, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:41.388Z", + "action": "network_flow", + "end": "2024-07-01T10:49:48.268Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827321, + "end": 1719827388 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "type": "packetbeat", + "version": "8.9.1" + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 12588, + "ip": "81.2.69.144", + "packets": 45 + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 49588, + "bytes": 182639, + "ip": "10.100.0.29", + "packets": 82 + }, + "type": "flow", + "network": { + "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=", + "bytes": 195227, + "transport": "tcp", + "type": "ipv4", + "packets": 127 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "11 (bullseye)", + "platform": "debian" + }, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "containerized": false, + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 67392032290, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:41.900Z", + "action": "network_flow", + "end": "2024-07-01T10:49:49.292Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827321, + "end": 1719827389 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "destination": { + "port": 6791, + "bytes": 6833, + "ip": "127.0.0.1", + "packets": 7 + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 39856, + "bytes": 2310, + "ip": "127.0.0.1", + "packets": 14 + }, + "type": "flow", + "network": { + "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=", + "bytes": 9143, + "transport": "tcp", + "type": "ipv4", + "packets": 21 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 59712056664, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:42.412Z", + "action": "network_flow", + "end": "2024-07-01T10:49:42.124Z", + "type": [ + "connection" + ], + "category": [ + "network" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827322, + "end": 1719827382 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "destination": { + "port": 80, + "bytes": 25278, + "ip": "169.254.169.254", + "packets": 5 + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 47598, + "bytes": 452, + "ip": "10.100.0.29", + "packets": 4 + }, + "type": "flow", + "network": { + "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=", + "bytes": 25730, + "transport": "tcp", + "type": "ipv4", + "packets": 9 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 61759622403, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:42.924Z", + "action": "network_flow", + "end": "2024-07-01T10:49:44.684Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827322, + "end": 1719827384 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "type": "packetbeat", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 6789, + "bytes": 1108, + "ip": "127.0.0.1", + "packets": 14 + }, + "type": "flow", + "network": { + "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=", + "bytes": 2425, + "transport": "tcp", + "type": "ipv4", + "packets": 26 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 64831956254, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:39.852Z", + "action": "network_flow", + "end": "2024-07-01T10:49:44.684Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4" + }, + "_conf": { + "event": { + "start": 1719827319, + "end": 1719827384 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 680, + "ip": "81.2.69.144", + "packets": 10 + }, + "type": "flow", + "network": { + "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=", + "bytes": 5891, + "transport": "tcp", + "type": "ipv4", + "packets": 20 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "machine": { + "type": "t2d-standard-1" + }, + "service": { + "name": "GCE" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "observer": { + "hostname": "webserver", + "mac": [ + "42-01-0A-64-00-1D" + ], + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ] + }, + "event": { + "duration": 60223908451, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:39.852Z", + "action": "network_flow", + "end": "2024-07-01T10:49:40.076Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE" + }, + "_conf": { + "map_to_ecs": true, + "geoip_enrich": true, + "event": { + "start": 1719827319, + "end": 1719827380 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 9672, + "ip": "81.2.69.144", + "packets": 45 + }, + "type": "flow", + "network": { + "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=", + "bytes": 557311, + "transport": "tcp", + "type": "ipv4", + "packets": 111 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 60736169344, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:40.363Z", + "action": "network_flow", + "end": "2024-07-01T10:49:41.100Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827320, + "end": 1719827381 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 1954, + "ip": "81.2.69.144", + "packets": 6 + }, + "type": "flow", + "network": { + "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=", + "bytes": 9729, + "transport": "tcp", + "type": "ipv4", + "packets": 13 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "machine": { + "type": "t2d-standard-1" + }, + "service": { + "name": "GCE" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 60735918914, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:40.364Z", + "action": "network_flow", + "end": "2024-07-01T10:49:41.100Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827320, + "end": 1719827381 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 48904, + "bytes": 1479, + "ip": "127.0.0.1", + "packets": 12 + }, + "type": "flow", + "network": { + "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=", + "bytes": 2655, + "transport": "tcp", + "type": "ipv4", + "packets": 27 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 65343896149, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:40.364Z", + "action": "network_flow", + "end": "2024-07-01T10:49:45.708Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827320, + "end": 1719827385 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "type": "packetbeat", + "version": "8.9.1" + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 7821, + "ip": "81.2.69.144", + "packets": 30 + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "type": "flow", + "network": { + "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=", + "bytes": 340814, + "transport": "tcp", + "type": "ipv4", + "packets": 79 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 59712159075, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:41.388Z", + "action": "network_flow", + "end": "2024-07-01T10:49:41.100Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827321, + "end": 1719827381 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "destination": { + "geo": { + "region_iso_code": "GB-ENG", + "continent_name": "Europe", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lon": -0.093, + "lat": 51.5088 + }, + "region_name": "England" + }, + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "port": 443, + "bytes": 5471, + "ip": "81.2.69.144", + "packets": 20 + }, + "type": "flow", + "network": { + "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=", + "bytes": 29368, + "transport": "tcp", + "type": "ipv4", + "packets": 41 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "containerized": false, + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 66879956683, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:41.388Z", + "action": "network_flow", + "end": "2024-07-01T10:49:48.268Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827321, + "end": 1719827388 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "type": "packetbeat", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 49588, + "bytes": 182639, + "ip": "10.100.0.29", + "packets": 82 + }, + "type": "flow", + "network": { + "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=", + "bytes": 195227, + "transport": "tcp", + "type": "ipv4", + "packets": 127 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "11 (bullseye)", + "platform": "debian" + }, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "containerized": false, + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 67392032290, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:41.900Z", + "action": "network_flow", + "end": "2024-07-01T10:49:49.292Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827321, + "end": 1719827389 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "source": { + "port": 39856, + "bytes": 2310, + "ip": "127.0.0.1", + "packets": 14 + }, + "type": "flow", + "network": { + "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=", + "bytes": 9143, + "transport": "tcp", + "type": "ipv4", + "packets": 21 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 59712056664, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:42.412Z", + "action": "network_flow", + "end": "2024-07-01T10:49:42.124Z", + "type": [ + "connection" + ], + "category": [ + "network" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827322, + "end": 1719827382 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "agent": { + "name": "webserver", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "type": "packetbeat", + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "version": "8.9.1" + }, + "destination": { + "port": 80, + "bytes": 25278, + "ip": "169.254.169.254", + "packets": 5 + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "version": "8.9.1", + "snapshot": false + }, + "type": "flow", + "network": { + "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=", + "bytes": 25730, + "transport": "tcp", + "type": "ipv4", + "packets": 9 + }, + "cloud": { + "availability_zone": "europe-west2-c", + "instance": { + "name": "test-security-demo-websever", + "id": "5975790316485631173" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "region": "europe-west2", + "account": { + "id": "elastic-sa" + } + }, + "@timestamp": "2024-07-01T10:49:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "data_stream": { + "namespace": "webserver", + "type": "logs", + "dataset": "endace.flow" + }, + "host": { + "hostname": "webserver", + "os": { + "kernel": "5.10.0-27-cloud-amd64", + "codename": "bullseye", + "name": "Debian GNU/Linux", + "family": "debian", + "type": "linux", + "version": "11 (bullseye)", + "platform": "debian" + }, + "containerized": false, + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "name": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "mac": [ + "42-01-0A-64-00-1D" + ], + "architecture": "x86_64" + }, + "event": { + "duration": 61759622403, + "agent_id_status": "verified", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "start": "2024-07-01T10:48:42.924Z", + "action": "network_flow", + "end": "2024-07-01T10:49:44.684Z", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "dataset": "endace.flow" + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA" + }, + "_conf": { + "geoip_enrich": true, + "event": { + "start": 1719827322, + "end": 1719827384 + }, + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + } + ] +} \ No newline at end of file diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json new file mode 100644 index 00000000000..d237ef69fa7 --- /dev/null +++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json @@ -0,0 +1,2340 @@ +{ + "expected": [ + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "bytes": 1317, + "ip": "127.0.0.1", + "packets": 12, + "port": 48866 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 64831956254, + "end": "2024-07-01T10:49:44.684Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830619852&end=1719831284684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1", + "start": "2024-07-01T10:48:39.852Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 2425, + "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=", + "packets": 26, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 1108, + "ip": "127.0.0.1", + "packets": 14, + "port": 6789 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 680, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 10, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "duration": 60223908451, + "end": "2024-07-01T10:49:40.076Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830619852&end=1719831280076&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144", + "start": "2024-07-01T10:48:39.852Z", + "type": [ + "connection" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 5891, + "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=", + "packets": 20, + "transport": "tcp", + "type": "ipv4" + }, + "network_traffic": { + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE" + } + }, + "observer": { + "hostname": "webserver", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ] + }, + "related": { + "hosts": [ + "webserver" + ], + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ] + }, + "source": { + "bytes": 5211, + "ip": "10.100.0.29", + "packets": 10, + "port": 56370 + } + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 9672, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 45, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 60736169344, + "end": "2024-07-01T10:49:41.100Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620363&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144", + "start": "2024-07-01T10:48:40.363Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 557311, + "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=", + "packets": 111, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 547639, + "ip": "10.100.0.29", + "packets": 66, + "port": 60098 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 1954, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 6, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 60735918914, + "end": "2024-07-01T10:49:41.100Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620364&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144", + "start": "2024-07-01T10:48:40.364Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 9729, + "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=", + "packets": 13, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 7775, + "ip": "10.100.0.29", + "packets": 7, + "port": 55960 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "bytes": 1176, + "ip": "127.0.0.1", + "packets": 15, + "port": 6789 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 65343896149, + "end": "2024-07-01T10:49:45.708Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620364&end=1719831285708&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1", + "start": "2024-07-01T10:48:40.364Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 2655, + "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=", + "packets": 27, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 1479, + "ip": "127.0.0.1", + "packets": 12, + "port": 48904 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 7821, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 30, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 59712159075, + "end": "2024-07-01T10:49:41.100Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621388&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144", + "start": "2024-07-01T10:48:41.388Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 340814, + "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=", + "packets": 79, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 332993, + "ip": "10.100.0.29", + "packets": 49, + "port": 45176 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 5471, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 20, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 66879956683, + "end": "2024-07-01T10:49:48.268Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621388&end=1719831288268&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144", + "start": "2024-07-01T10:48:41.388Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 29368, + "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=", + "packets": 41, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 23897, + "ip": "10.100.0.29", + "packets": 21, + "port": 56928 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 12588, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 45, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 67392032290, + "end": "2024-07-01T10:49:49.292Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621900&end=1719831289292&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144", + "start": "2024-07-01T10:48:41.900Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 195227, + "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=", + "packets": 127, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 182639, + "ip": "10.100.0.29", + "packets": 82, + "port": 49588 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "bytes": 6833, + "ip": "127.0.0.1", + "packets": 7, + "port": 6791 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 59712056664, + "end": "2024-07-01T10:49:42.124Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830622412&end=1719831282124&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1", + "start": "2024-07-01T10:48:42.412Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 9143, + "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=", + "packets": 21, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 2310, + "ip": "127.0.0.1", + "packets": 14, + "port": 39856 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "bytes": 25278, + "ip": "169.254.169.254", + "packets": 5, + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 61759622403, + "end": "2024-07-01T10:49:44.684Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830622924&end=1719831284684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%26169.254.169.254", + "start": "2024-07-01T10:48:42.924Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 25730, + "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=", + "packets": 9, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 452, + "ip": "10.100.0.29", + "packets": 4, + "port": 47598 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 64831956254, + "end": "2024-07-01T10:49:44.684Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830619852&end=1719831284684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=127.0.0.1", + "start": "2024-07-01T10:48:39.852Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 2425, + "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=", + "packets": 26, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 1108, + "ip": "127.0.0.1", + "packets": 14, + "port": 6789 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 680, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 10, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "duration": 60223908451, + "end": "2024-07-01T10:49:40.076Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830619852&end=1719831280076&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144", + "start": "2024-07-01T10:48:39.852Z", + "type": [ + "connection" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 5891, + "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=", + "packets": 20, + "transport": "tcp", + "type": "ipv4" + }, + "network_traffic": { + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE" + } + }, + "observer": { + "hostname": "webserver", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ] + }, + "related": { + "hosts": [ + "webserver" + ], + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ] + } + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 9672, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 45, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 60736169344, + "end": "2024-07-01T10:49:41.100Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620363&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144", + "start": "2024-07-01T10:48:40.363Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 557311, + "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=", + "packets": 111, + "transport": "tcp", + "type": "ipv4" + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 1954, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 6, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 60735918914, + "end": "2024-07-01T10:49:41.100Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620364&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144", + "start": "2024-07-01T10:48:40.364Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 9729, + "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=", + "packets": 13, + "transport": "tcp", + "type": "ipv4" + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 65343896149, + "end": "2024-07-01T10:49:45.708Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620364&end=1719831285708&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=127.0.0.1", + "start": "2024-07-01T10:48:40.364Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 2655, + "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=", + "packets": 27, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 1479, + "ip": "127.0.0.1", + "packets": 12, + "port": 48904 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 7821, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 30, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 59712159075, + "end": "2024-07-01T10:49:41.100Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621388&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144", + "start": "2024-07-01T10:48:41.388Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 340814, + "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=", + "packets": 79, + "transport": "tcp", + "type": "ipv4" + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "as": { + "number": 396982, + "organization": { + "name": "GOOGLE-CLOUD-PLATFORM" + } + }, + "bytes": 5471, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "packets": 20, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 66879956683, + "end": "2024-07-01T10:49:48.268Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621388&end=1719831288268&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144", + "start": "2024-07-01T10:48:41.388Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 29368, + "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=", + "packets": 41, + "transport": "tcp", + "type": "ipv4" + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 67392032290, + "end": "2024-07-01T10:49:49.292Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621900&end=1719831289292&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=10.100.0.29", + "start": "2024-07-01T10:48:41.900Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 195227, + "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=", + "packets": 127, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 182639, + "ip": "10.100.0.29", + "packets": 82, + "port": 49588 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 59712056664, + "end": "2024-07-01T10:49:42.124Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830622412&end=1719831282124&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=127.0.0.1", + "start": "2024-07-01T10:48:42.412Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 9143, + "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=", + "packets": 21, + "transport": "tcp", + "type": "ipv4" + }, + "source": { + "bytes": 2310, + "ip": "127.0.0.1", + "packets": 14, + "port": 39856 + }, + "type": "flow" + }, + { + "@timestamp": "2024-07-01T10:49:50.000Z", + "agent": { + "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31", + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "name": "webserver", + "type": "packetbeat", + "version": "8.9.1" + }, + "cloud": { + "account": { + "id": "elastic-sa" + }, + "availability_zone": "europe-west2-c", + "instance": { + "id": "5975790316485631173", + "name": "test-security-demo-websever" + }, + "machine": { + "type": "t2d-standard-1" + }, + "project": { + "id": "elastic-sa" + }, + "provider": "gcp", + "region": "europe-west2", + "service": { + "name": "GCE" + } + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "webserver", + "type": "logs" + }, + "destination": { + "bytes": 25278, + "ip": "169.254.169.254", + "packets": 5, + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 61759622403, + "end": "2024-07-01T10:49:44.684Z", + "ingested": "2024-07-01T10:49:51Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830622924&end=1719831284684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=169.254.169.254", + "start": "2024-07-01T10:48:42.924Z", + "type": [ + "connection" + ] + }, + "flow": { + "final": false, + "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "webserver", + "id": "28bd70940d6b4dd105977a2b386fc78d", + "ip": [ + "10.100.0.29", + "fe80::4001:aff:fe64:1d" + ], + "mac": [ + "42-01-0A-64-00-1D" + ], + "name": "webserver", + "os": { + "codename": "bullseye", + "family": "debian", + "kernel": "5.10.0-27-cloud-amd64", + "name": "Debian GNU/Linux", + "platform": "debian", + "type": "linux", + "version": "11 (bullseye)" + } + }, + "network": { + "bytes": 25730, + "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=", + "packets": 9, + "transport": "tcp", + "type": "ipv4" + }, + "type": "flow" + } + ] +} \ No newline at end of file diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml new file mode 100644 index 00000000000..8ef53febd04 --- /dev/null +++ b/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml @@ -0,0 +1,7 @@ +vars: + interface: "{{SERVICE_LOGS_DIR}}/http_get_2k_file.pcap" +input: packet +data_stream: + vars: + period: '-1s' + endace_url: 'http://test.elastic.co' diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml new file mode 100644 index 00000000000..8011263401d --- /dev/null +++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml @@ -0,0 +1,8 @@ +vars: + interface: "{{SERVICE_LOGS_DIR}}/icmp_2_pings.pcap" +input: packet +data_stream: + vars: + timeout: '5s' + period: '-1s' + endace_url: 'http://test.elastic.co' diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml new file mode 100644 index 00000000000..ac9dd427000 --- /dev/null +++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml @@ -0,0 +1,7 @@ +vars: + interface: "{{SERVICE_LOGS_DIR}}/icmp4_ping.pcap" +input: packet +data_stream: + vars: + period: '1s' + endace_url: 'http://test.elastic.co' diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml new file mode 100644 index 00000000000..be4ef69d695 --- /dev/null +++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml @@ -0,0 +1,7 @@ +vars: + interface: "{{SERVICE_LOGS_DIR}}/icmp6_ping.pcap" +input: packet +data_stream: + vars: + period: '1s' + endace_url: 'http://test.elastic.co' diff --git a/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs new file mode 100644 index 00000000000..b45b6edf849 --- /dev/null +++ b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs @@ -0,0 +1,45 @@ +type: flow +{{#if timeout}} +timeout: '{{timeout}}' +{{/if}} +{{#if period}} +period: '{{period}}' +{{/if}} +fields_under_root: true +fields: + _conf: + geoip_enrich: {{geoip_enrich}} + map_to_ecs: {{map_to_ecs}} + endace_url: {{ endace_url }} + endace_datasources: {{ endace_datasources }} + endace_tools: {{ endace_tools }} + endace_lookback: {{ endace_lookback }} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +processors: +{{#contains "forwarded" tags}} +- add_observer_metadata: ~ +{{else}} +- add_host_metadata: ~ +{{/contains}} +{{processors}} +{{#if monitor_processes}} +procs: + enabled: true +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} +{{#if never_install}} +npcap: + never_install: true +{{/if}} diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/compatibility.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/compatibility.yml new file mode 100644 index 00000000000..c85edad3b01 --- /dev/null +++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/compatibility.yml @@ -0,0 +1,32 @@ +--- +description: ECS compatibility layer pipeline. +processors: + - rename: + field: flow + target_field: network_traffic.flow + ignore_missing: true + - rename: + # Retained for legacy dashboard behaviour. + field: status + target_field: network_traffic.status + ignore_missing: true + - rename: + field: process.ppid + target_field: process.parent.pid + ignore_missing: true + # Remove packetbeat fields that are handled by agent or fleet. + - remove: + field: type + ignore_missing: true + - remove: + field: event.dataset + ignore_missing: true + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..be13b30eea8 --- /dev/null +++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,120 @@ +--- +description: Pipeline for processing traffic flows +processors: +- set: + field: ecs.version + value: '8.11.0' + tag: set_ecs_version + +# ECS compatibility pipeline +- pipeline: + if: ctx._conf?.map_to_ecs != null && ctx._conf.map_to_ecs + name: '{{ IngestPipeline "compatibility" }}' + tag: compatibility_pipeline_processor + +## +# Set {host,source,destination}.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true + tag: gsub_host_mac_remove_seperators + +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + tag: gsub_host_mac + +- uppercase: + field: host.mac + ignore_missing: true + tag: uppercase_host_mac + +- append: + field: related.hosts + value: "{{{observer.hostname}}}" + if: ctx.observer?.hostname != null && ctx.observer.hostname != '' + allow_duplicates: false + tag: append_observer_hostname + +- foreach: + if: ctx.observer?.ip != null && ctx.observer.ip instanceof List + tag: foreach_observer_ip + field: observer.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + +- remove: + if: ctx.host != null && ctx.tags != null && ctx.tags.contains('forwarded') + field: host + tag: remove_host_if_forwarded + +- gsub: + field: source.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true + tag: gsub_source_mac_remove_seperators + +- gsub: + field: source.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + tag: gsub_source_mac + +- uppercase: + field: source.mac + ignore_missing: true + tag: uppercase_source_mac + +- gsub: + field: destination.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true + tag: gsub_destination_mac_remove_seperators + +- gsub: + field: destination.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + tag: gsub_destination_mac + +- uppercase: + field: destination.mac + ignore_missing: true + tag: uppercase_destination_mac + +- pipeline: + if: ctx._conf?.geoip_enrich != null && ctx._conf.geoip_enrich + name: '{{ IngestPipeline "geoip" }}' + tag: pipeline_processor_geoip + +- pipeline: + name: '{{ IngestPipeline "endace" }}' + if: (ctx.source?.ip != null || ctx.destination?.ip != null) && (ctx.source?.ip != '0.0.0.0' && ctx.destination?.ip != '0.0.0.0') + tag: pipeline_processor_endace + +- remove: + field: _conf + ignore_missing: true + tag: remove_conf + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml new file mode 100644 index 00000000000..d6a1399695e --- /dev/null +++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml @@ -0,0 +1,88 @@ +--- +description: Endace Pivot Field. +processors: + - set: + description: "Set IP Conversation if both destination.ip and source.ip are present" + field: _conf.ip_conv + value: "ip_conv={{ source.ip }}%26{{ destination.ip }}" + if: (ctx.destination?.ip != null && ctx.destination?.ip != '') && (ctx.source?.ip != null && ctx.source?.ip != '') + tag: endace conversation set + + - set: + description: "Set IP Conversation if only destination.ip is present" + field: _conf.ip_conv + value: "ip={{ destination.ip }}" + if: (ctx.destination?.ip != null && ctx.destination.ip != '') && (ctx.source?.ip == null || ctx.source?.ip == '') + tag: endace destination ip set + + - set: + description: "Set IP Conversation if only source.ip is present" + field: _conf.ip_conv + value: "ip={{ source.ip }}" + if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && (ctx.source?.ip != null && ctx.source.ip != '') + tag: endace source ip set + + - date: + description: "Convert Start time to Epoch" + field: event.start + formats: ["ISO8601"] + target_field: _conf.event.start + output_format: epoch_millis + if: ctx.event?.start != null && ctx.event.start != '' + + - convert: + field: _conf.event.start + type: long + description: "Convert Start time to Long" + if: ctx._conf?.event?.start != null && ctx._conf.event.start != '' + + - date: + description: "Convert End time to Epoch" + field: event.end + formats: ["ISO8601"] + target_field: _conf.event.end + output_format: epoch_millis + if: ctx.event?.end != null && ctx.event.end != '' + + - convert: + field: _conf.event.end + type: long + description: "Convert End time to Long" + if: ctx._conf?.event?.end != null && ctx._conf.event.end != '' + + - script: + source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000" + tag: "Calculate Timedelta" + description: "Calculate Timedelta" + if: ctx._conf?.endace_lookback != null && ctx._conf.endace_lookback != '' + + - script: + source: "ctx._conf.event.end = ctx._conf.event.end + ctx._conf.timedelta/2" + tag: "Calculate Endtime as Timestamp + half of Timedelta" + description: "Calculate Endtime" + if: (ctx._conf?.event?.end != null && ctx._conf.event.end != '') && (ctx._conf?.timedelta != null && ctx._conf.timedelta != '') + + - script: + source: "ctx._conf.event.start = ctx._conf.event.start - ctx._conf.timedelta/2" + tag: "Calculate Starttime as Timestamp - half of Timedelta" + description: "Calculate Endtime" + if: (ctx._conf?.event?.start != null && ctx._conf.event.start != '') && (ctx._conf?.timedelta != null && ctx._conf.timedelta != '') + + - set: + field: event.reference + value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}" + ignore_empty_value: true + tag: endace reference url + if: (ctx.destination?.ip != null && ctx.destination.ip != '') || (ctx.source?.ip != null && ctx.source.ip != '') + description: "Create P2V URL" + +on_failure: + - append: + field: error.message + description: "Error Message" + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + description: "Event Kind" + value: pipeline_error diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml new file mode 100644 index 00000000000..62d0462917f --- /dev/null +++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml @@ -0,0 +1,103 @@ +--- +description: GeoIP enrichment. +processors: + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + tag: source_geo + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + tag: source_geo_as + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + tag: destination_geo + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + tag: destination_geo_as + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + - geoip: + field: server.ip + target_field: server.geo + ignore_missing: true + tag: server_geo + - geoip: + database_file: GeoLite2-ASN.mmdb + field: server.ip + target_field: server.as + properties: + - asn + - organization_name + ignore_missing: true + tag: server_geo_as + - rename: + field: server.as.asn + target_field: server.as.number + ignore_missing: true + - rename: + field: server.as.organization_name + target_field: server.as.organization.name + ignore_missing: true + + - geoip: + field: client.ip + target_field: client.geo + ignore_missing: true + tag: client_geo + - geoip: + database_file: GeoLite2-ASN.mmdb + field: client.ip + target_field: client.as + properties: + - asn + - organization_name + ignore_missing: true + tag: client_geo_as + - rename: + field: client.as.asn + target_field: client.as.number + ignore_missing: true + - rename: + field: client.as.organization_name + target_field: client.as.organization.name + ignore_missing: true + +on_failure: + - append: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + - set: + field: event.kind + value: pipeline_error diff --git a/packages/endace/data_stream/flow/fields/agent.yml b/packages/endace/data_stream/flow/fields/agent.yml new file mode 100644 index 00000000000..a55e9f71b3e --- /dev/null +++ b/packages/endace/data_stream/flow/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/endace/data_stream/flow/fields/base.yml b/packages/endace/data_stream/flow/fields/base.yml new file mode 100644 index 00000000000..0d1791ffed6 --- /dev/null +++ b/packages/endace/data_stream/flow/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/endace/data_stream/flow/fields/beats.yml b/packages/endace/data_stream/flow/fields/beats.yml new file mode 100644 index 00000000000..a7cc3bab23d --- /dev/null +++ b/packages/endace/data_stream/flow/fields/beats.yml @@ -0,0 +1,95 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: type + type: keyword + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/endace/data_stream/flow/fields/ecs.yml b/packages/endace/data_stream/flow/fields/ecs.yml new file mode 100644 index 00000000000..dbc20b5c446 --- /dev/null +++ b/packages/endace/data_stream/flow/fields/ecs.yml @@ -0,0 +1,146 @@ +- external: ecs + name: client.bytes +- external: ecs + name: client.ip +- external: ecs + name: client.port +- external: ecs + name: destination.bytes +- external: ecs + name: destination.ip +- external: ecs + name: destination.mac +- external: ecs + name: destination.packets +- external: ecs + name: destination.port +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.duration +- external: ecs + name: event.end +- external: ecs + name: event.kind +- external: ecs + name: event.reference +- external: ecs + name: event.start +- external: ecs + name: event.type +- external: ecs + name: network.bytes +- external: ecs + name: network.community_id +- external: ecs + name: network.direction +- external: ecs + name: network.forwarded_ip +- external: ecs + name: network.protocol +- external: ecs + name: network.packets +- external: ecs + name: network.transport +- external: ecs + name: network.type +- external: ecs + name: observer.hostname +- external: ecs + name: observer.ip +- external: ecs + name: observer.mac +- external: ecs + name: observer.name +- external: ecs + name: process.name +- external: ecs + name: process.args +- external: ecs + name: process.executable +- external: ecs + name: process.working_directory +- external: ecs + name: process.start +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: server.bytes +- external: ecs + name: server.ip +- external: ecs + name: server.port +- external: ecs + name: source.bytes +- external: ecs + name: source.ip +- external: ecs + name: source.mac +- external: ecs + name: source.port +- external: ecs + name: source.packets +- external: ecs + name: client.geo.city_name +- external: ecs + name: client.geo.continent_name +- external: ecs + name: client.geo.country_iso_code +- external: ecs + name: client.geo.country_name +- external: ecs + name: client.geo.location +- external: ecs + name: client.geo.region_iso_code +- external: ecs + name: client.geo.region_name +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.geo.location +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name +- external: ecs + name: server.geo.city_name +- external: ecs + name: server.geo.continent_name +- external: ecs + name: server.geo.country_iso_code +- external: ecs + name: server.geo.country_name +- external: ecs + name: server.geo.location +- external: ecs + name: server.geo.region_iso_code +- external: ecs + name: server.geo.region_name +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- external: ecs + name: source.geo.location +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: tags diff --git a/packages/endace/data_stream/flow/fields/protocol.yml b/packages/endace/data_stream/flow/fields/protocol.yml new file mode 100644 index 00000000000..ba73291c152 --- /dev/null +++ b/packages/endace/data_stream/flow/fields/protocol.yml @@ -0,0 +1,15 @@ +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + diff --git a/packages/endace/data_stream/flow/fields/protocol_ecs.yml b/packages/endace/data_stream/flow/fields/protocol_ecs.yml new file mode 100644 index 00000000000..99e3f417fcd --- /dev/null +++ b/packages/endace/data_stream/flow/fields/protocol_ecs.yml @@ -0,0 +1,23 @@ +- name: network_traffic.flow + type: group + fields: + - name: final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + + - name: id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + + - name: vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: network_traffic.status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + diff --git a/packages/endace/data_stream/flow/manifest.yml b/packages/endace/data_stream/flow/manifest.yml new file mode 100644 index 00000000000..ed73beef964 --- /dev/null +++ b/packages/endace/data_stream/flow/manifest.yml @@ -0,0 +1,67 @@ +title: Flows +type: logs +streams: + - input: packet + title: Flows + description: Track Network Flows + template_path: flow.yml.hbs + vars: + - name: geoip_enrich + required: true + show_user: true + title: GeoIP enrich IP addresses + description: Perform GeoIP enrichment on IP addresses in events. + type: bool + multi: false + default: true + - name: monitor_processes + type: bool + title: Monitor Processes + description: |- + If this option is enabled then network traffic events will be enriched + with information about the process associated with the events. + show_user: true + multi: false + required: false + - name: period + type: text + title: Period + required: false + show_user: false + description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1s. If disabled, flows are still reported once being timed out. + default: '10s' + - name: timeout + type: text + title: Flow timeout + description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. Valid time units are ns, us, ms, s, m, h. + required: false + show_user: false + default: '30s' + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + - name: map_to_ecs + type: bool + title: Map root Packetbeat fields to ECS + description: |- + Remap any non-ECS Packetbeat fields in root to their correct ECS fields. + This will rename fields that are moved so the fields will not be present + at the root of the document and so any rules that depend on the fields + will need to be updated. + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true + multi: false + required: false diff --git a/packages/endace/data_stream/flow/sample_event.json b/packages/endace/data_stream/flow/sample_event.json new file mode 100644 index 00000000000..c5e261b80aa --- /dev/null +++ b/packages/endace/data_stream/flow/sample_event.json @@ -0,0 +1,86 @@ +{ + "@timestamp": "2023-10-16T22:40:20.005Z", + "agent": { + "ephemeral_id": "005dde79-7459-4b47-ae00-972086b4f5db", + "id": "f923dfe0-3acb-4f62-9ab4-1fabb8e8e112", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.6.2" + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 64, + "ip": "::1", + "packets": 1, + "port": 8000 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "f923dfe0-3acb-4f62-9ab4-1fabb8e8e112", + "snapshot": false, + "version": "8.6.2" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 73561, + "end": "2023-10-16T22:39:45.677Z", + "ingested": "2023-10-16T22:40:21Z", + "kind": "event", + "start": "2023-10-16T22:39:45.677Z", + "type": [ + "connection", + "end" + ] + }, + "flow": { + "final": true, + "id": "QAT///////8A////IP8AAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAUAfeMg" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "f91b175388d443fca5c155815dfc2279", + "ip": [ + "172.19.0.7" + ], + "mac": [ + "02-42-AC-13-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.15.49-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.5 LTS (Focal Fossa)" + } + }, + "network": { + "bytes": 152, + "community_id": "1:5y9AkdbV9U8xqD9dhlj6obkubHg=", + "packets": 2, + "transport": "tcp", + "type": "ipv6" + }, + "source": { + "bytes": 88, + "ip": "::1", + "packets": 1, + "port": 51320 + }, + "type": "flow" +} diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json new file mode 100644 index 00000000000..d8a498368a1 --- /dev/null +++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json @@ -0,0 +1,3579 @@ +{ + "events": [ + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "network": { + "iana_number": 6, + "bytes": 719, + "packets": 5, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp" + }, + "observer": { + "ip": "127.0.0.1" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat" + }, + "client": { + "bytes": 719, + "packets": 5 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "netflow": { + "art_network_time_sum": 0, + "flow_end_sys_up_time": 564184158, + "responder_octets": 0, + "art_count_responses": 0, + "initiator_octets": 719, + "art_server_response_time_maximum": 0, + "ingress_vrfid": 0, + "art_count_late_responses": 0, + "art_server_response_time_sum": 0, + "responder_packets": 0, + "waasoptimization_segment": 16, + "initiator_packets": 5, + "art_response_time_sum": 0, + "application_id": [ + 3, + 0, + 0, + 80 + ], + "connection_sum_duration_seconds": 0, + "protocol_identifier": 6, + "art_total_transaction_time_sum": 0, + "art_total_response_time_sum": 0, + "type": "netflow_flow", + "vlan_id": 0, + "biflow_direction": 1, + "ingress_interface": 10, + "art_client_network_time_sum": 0, + "art_count_transactions": 0, + "new_connection_delta_count": 1, + "flow_start_sys_up_time": 564184140, + "egress_interface": 13, + "art_server_network_time_sum": 0, + "art_count_retransmissions": 0, + "ip_ttl": 49, + "exporter": { + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10 + }, + "ip_diff_serv_code_point": 0 + }, + "server": { + "packets": 0, + "bytes": 0 + }, + "input": { + "type": "netflow" + }, + "host": { + "name": "mbp.local" + }, + "ecs": { + "version": "1.8.0" + }, + "event": { + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "source": { + "packets": 5, + "bytes": 719 + }, + "destination": { + "bytes": 0, + "packets": 0, + "ip": "10.36.236.100" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "event": { + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session" + }, + "observer": { + "ip": "127.0.0.1" + }, + "destination": { + "packets": 0, + "bytes": 0 + }, + "input": { + "type": "netflow" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "netflow": { + "new_connection_delta_count": 1, + "art_count_transactions": 0, + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_server_network_time_sum": 0, + "art_response_time_sum": 0, + "initiator_packets": 6, + "type": "netflow_flow", + "ingress_interface": 10, + "art_count_retransmissions": 0, + "art_client_network_time_sum": 0, + "vlan_id": 0, + "connection_sum_duration_seconds": 0, + "protocol_identifier": 6, + "initiator_octets": 1477, + "art_count_responses": 0, + "responder_octets": 0, + "exporter": { + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z" + }, + "flow_end_sys_up_time": 564184154, + "ip_ttl": 49, + "biflow_direction": 1, + "ip_diff_serv_code_point": 0, + "art_total_transaction_time_sum": 0, + "art_count_late_responses": 0, + "egress_interface": 13, + "art_server_response_time_maximum": 0, + "responder_packets": 0, + "art_total_response_time_sum": 0, + "art_network_time_sum": 0, + "waasoptimization_segment": 16, + "art_server_response_time_sum": 0, + "ingress_vrfid": 0, + "flow_start_sys_up_time": 564184140 + }, + "host": { + "name": "mbp.local" + }, + "client": { + "bytes": 1477, + "packets": 6 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "source": { + "bytes": 1477, + "packets": 6, + "ip": "10.127.32.11" + }, + "network": { + "transport": "tcp", + "iana_number": 6, + "bytes": 1477, + "packets": 6, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "network": { + "transport": "tcp", + "iana_number": 6, + "bytes": 1, + "packets": 2, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "destination": { + "packets": 1, + "bytes": 0 + }, + "observer": { + "ip": "127.0.0.1" + }, + "server": { + "bytes": 0, + "packets": 1 + }, + "source": { + "packets": 1, + "bytes": 1 + }, + "host": { + "name": "mbp.local" + }, + "netflow": { + "biflow_direction": 1, + "waasoptimization_segment": 16, + "art_count_responses": 0, + "responder_octets": 0, + "ingress_vrfid": 0, + "initiator_packets": 1, + "art_count_late_responses": 0, + "ip_ttl": 125, + "art_server_response_time_sum": 0, + "art_count_transactions": 0, + "protocol_identifier": 6, + "flow_end_sys_up_time": 564184144, + "type": "netflow_flow", + "art_server_response_time_maximum": 0, + "responder_packets": 1, + "ip_diff_serv_code_point": 0, + "art_network_time_sum": 0, + "connection_sum_duration_seconds": 89, + "art_total_response_time_sum": 0, + "egress_interface": 10, + "flow_start_sys_up_time": 564184142, + "art_response_time_sum": 0, + "exporter": { + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10 + }, + "new_connection_delta_count": 0, + "ingress_interface": 13, + "vlan_id": 290, + "art_client_network_time_sum": 0, + "art_total_transaction_time_sum": 0, + "art_count_retransmissions": 1, + "initiator_octets": 1, + "art_server_network_time_sum": 0, + "application_id": [ + 13, + 0, + 2, + 8 + ] + }, + "event": { + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "client": { + "bytes": 1, + "packets": 1 + }, + "input": { + "type": "netflow" + }, + "ecs": { + "version": "1.8.0" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "destination": { + "packets": 0, + "bytes": 0 + }, + "netflow": { + "art_count_late_responses": 0, + "connection_sum_duration_seconds": 0, + "art_total_transaction_time_sum": 0, + "art_count_transactions": 0, + "biflow_direction": 1, + "waasoptimization_segment": 16, + "responder_packets": 0, + "art_response_time_sum": 0, + "flow_end_sys_up_time": 564184216, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "ingress_interface": 10, + "protocol_identifier": 6, + "art_total_response_time_sum": 0, + "egress_interface": 13, + "initiator_octets": 108580, + "new_connection_delta_count": 1, + "exporter": { + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512 + }, + "vlan_id": 0, + "flow_start_sys_up_time": 564184131, + "initiator_packets": 79, + "art_network_time_sum": 0, + "art_client_network_time_sum": 0, + "ingress_vrfid": 0, + "ip_ttl": 49, + "type": "netflow_flow", + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_count_retransmissions": 2, + "art_count_responses": 0, + "ip_diff_serv_code_point": 0, + "responder_octets": 0, + "art_server_response_time_sum": 0 + }, + "event": { + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "client": { + "packets": 79, + "bytes": 108580 + }, + "source": { + "bytes": 108580, + "packets": 79 + }, + "observer": { + "ip": "127.0.0.1" + }, + "input": { + "type": "netflow" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "network": { + "transport": "tcp", + "iana_number": 6, + "bytes": 108580, + "packets": 79, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "server": { + "bytes": 0, + "packets": 0 + }, + "observer": { + "ip": "127.0.0.1" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "event": { + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "client": { + "bytes": 342, + "packets": 5 + }, + "source": { + "packets": 5, + "bytes": 342 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "network": { + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 342, + "packets": 5 + }, + "netflow": { + "protocol_identifier": 6, + "art_total_response_time_sum": 0, + "type": "netflow_flow", + "ingress_interface": 10, + "waasoptimization_segment": 16, + "art_count_retransmissions": 0, + "biflow_direction": 1, + "art_server_response_time_sum": 0, + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_count_transactions": 0, + "responder_octets": 0, + "art_server_network_time_sum": 0, + "initiator_packets": 5, + "art_count_late_responses": 0, + "ingress_vrfid": 0, + "flow_end_sys_up_time": 564184208, + "art_client_network_time_sum": 0, + "art_total_transaction_time_sum": 0, + "new_connection_delta_count": 1, + "initiator_octets": 342, + "ip_ttl": 49, + "art_count_responses": 0, + "art_response_time_sum": 0, + "egress_interface": 13, + "responder_packets": 0, + "connection_sum_duration_seconds": 0, + "art_server_response_time_maximum": 0, + "art_network_time_sum": 0, + "vlan_id": 0, + "flow_start_sys_up_time": 564184176, + "ip_diff_serv_code_point": 0, + "exporter": { + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z" + } + }, + "ecs": { + "version": "1.8.0" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "client": { + "bytes": 1851, + "packets": 17 + }, + "source": { + "bytes": 1851, + "packets": 17 + }, + "netflow": { + "initiator_packets": 17, + "initiator_octets": 1851, + "type": "netflow_flow", + "responder_packets": 18, + "biflow_direction": 1, + "waasoptimization_segment": 16, + "art_count_retransmissions": 0, + "protocol_identifier": 6, + "art_server_response_time_sum": 13, + "exporter": { + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512 + }, + "art_client_network_time_sum": 2, + "ingress_vrfid": 0, + "art_total_transaction_time_sum": 100, + "art_response_time_sum": 153, + "new_connection_delta_count": 2, + "art_count_responses": 3, + "ip_diff_serv_code_point": 0, + "vlan_id": 290, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_server_network_time_sum": 95, + "art_count_late_responses": 0, + "art_total_response_time_sum": 156, + "ip_ttl": 125, + "art_server_response_time_maximum": 8, + "connection_sum_duration_seconds": 24, + "art_network_time_sum": 97, + "flow_end_sys_up_time": 564197394, + "art_count_transactions": 2, + "flow_start_sys_up_time": 564184067, + "ingress_interface": 13, + "egress_interface": 10, + "responder_octets": 9437 + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "observer": { + "ip": "127.0.0.1" + }, + "server": { + "bytes": 9437, + "packets": 18 + }, + "event": { + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow" + }, + "input": { + "type": "netflow" + }, + "destination": { + "bytes": 9437, + "packets": 18 + }, + "network": { + "bytes": 11288, + "packets": 35, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "source": { + "bytes": 51480, + "packets": 39 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "netflow": { + "flow_start_sys_up_time": 564184182, + "ip_diff_serv_code_point": 0, + "application_id": [ + 3, + 0, + 0, + 80 + ], + "waasoptimization_segment": 16, + "art_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "type": "netflow_flow", + "art_server_response_time_maximum": 0, + "ingress_vrfid": 0, + "responder_packets": 0, + "exporter": { + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z" + }, + "art_count_retransmissions": 0, + "responder_octets": 0, + "ip_ttl": 49, + "art_total_response_time_sum": 0, + "initiator_packets": 39, + "ingress_interface": 10, + "art_server_response_time_sum": 0, + "initiator_octets": 51480, + "egress_interface": 13, + "art_server_network_time_sum": 0, + "art_client_network_time_sum": 0, + "new_connection_delta_count": 1, + "art_response_time_sum": 0, + "vlan_id": 0, + "protocol_identifier": 6, + "connection_sum_duration_seconds": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "art_count_transactions": 0, + "flow_end_sys_up_time": 564184216 + }, + "input": { + "type": "netflow" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "event": { + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "observer": { + "ip": "127.0.0.1" + }, + "server": { + "packets": 0, + "bytes": 0 + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "client": { + "bytes": 51480, + "packets": 39 + }, + "network": { + "transport": "tcp", + "iana_number": 6, + "bytes": 51480, + "packets": 39, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "destination": { + "bytes": 36894, + "packets": 47 + }, + "network": { + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 42029, + "packets": 102, + "direction": "unknown" + }, + "server": { + "bytes": 36894, + "packets": 47 + }, + "host": { + "name": "mbp.local" + }, + "netflow": { + "responder_packets": 47, + "egress_interface": 10, + "art_client_network_time_sum": 10, + "art_response_time_sum": 516, + "ip_diff_serv_code_point": 0, + "art_count_late_responses": 0, + "art_count_transactions": 14, + "ip_ttl": 126, + "art_count_responses": 15, + "responder_octets": 36894, + "connection_sum_duration_seconds": 35, + "protocol_identifier": 6, + "new_connection_delta_count": 6, + "art_server_response_time_maximum": 27, + "art_server_response_time_sum": 117, + "art_server_network_time_sum": 364, + "art_total_response_time_sum": 541, + "art_total_transaction_time_sum": 512, + "biflow_direction": 1, + "art_count_retransmissions": 0, + "ingress_interface": 13, + "initiator_packets": 55, + "ingress_vrfid": 0, + "vlan_id": 290, + "type": "netflow_flow", + "initiator_octets": 5135, + "art_network_time_sum": 374, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "exporter": { + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809" + }, + "flow_end_sys_up_time": 564203810, + "flow_start_sys_up_time": 564184040, + "waasoptimization_segment": 16 + }, + "client": { + "bytes": 5135, + "packets": 55 + }, + "flow": { + "locality": "internal", + "id": "Vhs9T5k296w" + }, + "input": { + "type": "netflow" + }, + "agent": { + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c" + }, + "ecs": { + "version": "1.8.0" + }, + "event": { + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "source": { + "packets": 55, + "bytes": 5135 + }, + "observer": { + "ip": "127.0.0.1" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "client": { + "bytes": 6533, + "packets": 14 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "input": { + "type": "netflow" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "server": { + "bytes": 6400, + "packets": 20 + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "source": { + "packets": 14, + "bytes": 6533 + }, + "destination": { + "bytes": 6400, + "packets": 20 + }, + "network": { + "iana_number": 6, + "bytes": 12933, + "packets": 34, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp" + }, + "netflow": { + "responder_packets": 14, + "art_count_responses": 6, + "vlan_id": 0, + "new_connection_delta_count": 2, + "ingress_interface": 10, + "art_total_response_time_sum": 138, + "art_server_response_time_maximum": 31, + "ip_diff_serv_code_point": 0, + "art_server_response_time_sum": 78, + "art_count_retransmissions": 1, + "art_total_transaction_time_sum": 123, + "initiator_packets": 20, + "ip_ttl": 61, + "type": "netflow_flow", + "ingress_vrfid": 0, + "protocol_identifier": 6, + "art_server_network_time_sum": 18, + "art_count_transactions": 6, + "flow_start_sys_up_time": 564184163, + "exporter": { + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512 + }, + "art_network_time_sum": 23, + "egress_interface": 13, + "responder_octets": 6533, + "application_id": [ + 13, + 0, + 2, + 99 + ], + "biflow_direction": 2, + "waasoptimization_segment": 16, + "initiator_octets": 6400, + "flow_end_sys_up_time": 564200378, + "connection_sum_duration_seconds": 64, + "art_count_late_responses": 0, + "art_response_time_sum": 123, + "art_client_network_time_sum": 5 + }, + "event": { + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event" + }, + "observer": { + "ip": "127.0.0.1" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "event": { + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z" + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "observer": { + "ip": "127.0.0.1" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "source": { + "bytes": 5684, + "packets": 491 + }, + "network": { + "packets": 491, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 5684 + }, + "netflow": { + "new_connection_delta_count": 0, + "art_count_retransmissions": 0, + "vlan_id": 290, + "exporter": { + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10 + }, + "art_server_response_time_sum": 0, + "biflow_direction": 1, + "art_count_responses": 0, + "art_total_transaction_time_sum": 0, + "art_response_time_sum": 0, + "initiator_octets": 5684, + "ingress_vrfid": 0, + "responder_packets": 0, + "application_id": [ + 13, + 0, + 0, + 49 + ], + "connection_sum_duration_seconds": 109, + "art_total_response_time_sum": 0, + "type": "netflow_flow", + "flow_start_sys_up_time": 564184196, + "egress_interface": 10, + "ingress_interface": 13, + "art_server_network_time_sum": 0, + "ip_diff_serv_code_point": 0, + "initiator_packets": 491, + "ip_ttl": 125, + "responder_octets": 0, + "waasoptimization_segment": 16, + "art_network_time_sum": 0, + "protocol_identifier": 6, + "art_server_response_time_maximum": 0, + "art_count_late_responses": 0, + "art_client_network_time_sum": 0, + "flow_end_sys_up_time": 564185840, + "art_count_transactions": 0 + }, + "input": { + "type": "netflow" + }, + "host": { + "name": "mbp.local" + }, + "client": { + "bytes": 5684, + "packets": 491 + }, + "ecs": { + "version": "1.8.0" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "client": { + "bytes": 4965, + "packets": 13 + }, + "server": { + "packets": 0, + "bytes": 0 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "event": { + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event" + }, + "input": { + "type": "netflow" + }, + "host": { + "name": "mbp.local" + }, + "source": { + "bytes": 4965, + "packets": 13 + }, + "observer": { + "ip": "127.0.0.1" + }, + "netflow": { + "protocol_identifier": 6, + "art_server_response_time_maximum": 0, + "new_connection_delta_count": 1, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0 + }, + "type": "netflow_flow", + "art_count_responses": 0, + "art_server_network_time_sum": 0, + "responder_packets": 0, + "ingress_interface": 13, + "biflow_direction": 1, + "ip_diff_serv_code_point": 0, + "initiator_packets": 13, + "ingress_vrfid": 0, + "art_count_transactions": 0, + "art_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "connection_sum_duration_seconds": 0, + "flow_end_sys_up_time": 564184254, + "vlan_id": 290, + "initiator_octets": 4965, + "waasoptimization_segment": 16, + "responder_octets": 0, + "art_count_late_responses": 0, + "art_total_response_time_sum": 0, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_server_response_time_sum": 0, + "flow_start_sys_up_time": 564184154, + "ip_ttl": 125, + "art_count_retransmissions": 0, + "art_network_time_sum": 0, + "egress_interface": 10, + "art_client_network_time_sum": 0 + }, + "ecs": { + "version": "1.8.0" + }, + "agent": { + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75" + }, + "network": { + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 4965, + "packets": 13, + "direction": "unknown" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "server": { + "packets": 2, + "bytes": 0 + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "agent": { + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c" + }, + "destination": { + "bytes": 0, + "packets": 2 + }, + "event": { + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event" + }, + "client": { + "bytes": 138, + "packets": 4 + }, + "network": { + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 138, + "packets": 6, + "direction": "unknown" + }, + "netflow": { + "protocol_identifier": 6, + "ingress_interface": 10, + "vlan_id": 0, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0 + }, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_count_responses": 0, + "art_total_response_time_sum": 0, + "connection_sum_duration_seconds": 239, + "responder_octets": 138, + "art_count_retransmissions": 0, + "ingress_vrfid": 0, + "initiator_packets": 2, + "new_connection_delta_count": 0, + "application_id": [ + 13, + 0, + 2, + 99 + ], + "art_client_network_time_sum": 0, + "flow_start_sys_up_time": 564184214, + "biflow_direction": 2, + "art_network_time_sum": 0, + "type": "netflow_flow", + "art_count_late_responses": 0, + "art_count_transactions": 2, + "flow_end_sys_up_time": 564184362, + "egress_interface": 13, + "ip_diff_serv_code_point": 0, + "responder_packets": 4, + "art_response_time_sum": 0, + "art_total_transaction_time_sum": 119878, + "initiator_octets": 0, + "art_server_response_time_sum": 0, + "ip_ttl": 61, + "waasoptimization_segment": 16 + }, + "observer": { + "ip": "127.0.0.1" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "input": { + "type": "netflow" + }, + "source": { + "bytes": 138, + "packets": 4 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "netflow": { + "waasoptimization_segment": 16, + "art_total_transaction_time_sum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_count_responses": 0, + "ingress_interface": 13, + "art_server_network_time_sum": 0, + "art_client_network_time_sum": 0, + "flow_end_sys_up_time": 564184220, + "ingress_vrfid": 0, + "biflow_direction": 1, + "ip_ttl": 125, + "initiator_packets": 1, + "vlan_id": 290, + "ip_diff_serv_code_point": 0, + "art_count_retransmissions": 1, + "egress_interface": 10, + "art_response_time_sum": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "exporter": { + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809" + }, + "type": "netflow_flow", + "responder_octets": 0, + "responder_packets": 0, + "connection_sum_duration_seconds": 44, + "art_count_late_responses": 0, + "flow_start_sys_up_time": 564184220, + "protocol_identifier": 6, + "application_id": [ + 13, + 0, + 2, + 8 + ], + "initiator_octets": 1, + "new_connection_delta_count": 0, + "art_server_response_time_maximum": 0 + }, + "event": { + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event" + }, + "observer": { + "ip": "127.0.0.1" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "packets": 1, + "bytes": 1 + }, + "network": { + "transport": "tcp", + "iana_number": 6, + "bytes": 1, + "packets": 1, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=" + }, + "client": { + "packets": 1, + "bytes": 1 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "input": { + "type": "netflow" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "netflow": { + "art_count_responses": 3, + "egress_interface": 13, + "initiator_octets": 1571, + "ingress_vrfid": 0, + "connection_sum_duration_seconds": 62, + "art_server_network_time_sum": 146, + "art_client_network_time_sum": 3, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_count_late_responses": 0, + "art_server_response_time_maximum": 3, + "art_total_response_time_sum": 453, + "type": "netflow_flow", + "ip_diff_serv_code_point": 0, + "exporter": { + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809" + }, + "protocol_identifier": 6, + "ip_ttl": 220, + "waasoptimization_segment": 16, + "responder_octets": 6079, + "vlan_id": 0, + "art_server_response_time_sum": 6, + "initiator_packets": 13, + "art_count_retransmissions": 0, + "flow_end_sys_up_time": 564215068, + "responder_packets": 10, + "flow_start_sys_up_time": 564184067, + "ingress_interface": 10, + "art_response_time_sum": 444, + "biflow_direction": 2, + "art_network_time_sum": 149, + "art_count_transactions": 2, + "new_connection_delta_count": 1, + "art_total_transaction_time_sum": 296 + }, + "input": { + "type": "netflow" + }, + "observer": { + "ip": "127.0.0.1" + }, + "client": { + "packets": 10, + "bytes": 6079 + }, + "network": { + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 7650, + "packets": 23 + }, + "server": { + "bytes": 1571, + "packets": 13 + }, + "source": { + "bytes": 6079, + "packets": 10 + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "destination": { + "bytes": 1571, + "packets": 13 + }, + "event": { + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "client": { + "packets": 6, + "bytes": 2807 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "1.8.0" + }, + "event": { + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session" + }, + "network": { + "packets": 6, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 2807 + }, + "source": { + "packets": 6, + "bytes": 2807 + }, + "netflow": { + "biflow_direction": 1, + "art_response_time_sum": 0, + "responder_packets": 0, + "waasoptimization_segment": 16, + "egress_interface": 13, + "art_count_responses": 0, + "ingress_vrfid": 0, + "connection_sum_duration_seconds": 0, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0 + }, + "vlan_id": 0, + "art_count_late_responses": 0, + "type": "netflow_flow", + "ip_diff_serv_code_point": 0, + "flow_start_sys_up_time": 564183878, + "art_server_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "art_server_network_time_sum": 0, + "art_count_transactions": 0, + "responder_octets": 0, + "art_client_network_time_sum": 0, + "protocol_identifier": 6, + "initiator_packets": 6, + "initiator_octets": 2807, + "art_server_response_time_maximum": 0, + "art_network_time_sum": 0, + "art_total_response_time_sum": 0, + "flow_end_sys_up_time": 564184252, + "ip_ttl": 61, + "new_connection_delta_count": 1, + "ingress_interface": 10, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_count_retransmissions": 0 + }, + "observer": { + "ip": "127.0.0.1" + }, + "input": { + "type": "netflow" + }, + "host": { + "name": "mbp.local" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "event": { + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z" + }, + "host": { + "name": "mbp.local" + }, + "network": { + "packets": 1, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 0 + }, + "source": { + "bytes": 0, + "packets": 1 + }, + "observer": { + "ip": "127.0.0.1" + }, + "netflow": { + "ip_diff_serv_code_point": 0, + "new_connection_delta_count": 0, + "art_server_network_time_sum": 0, + "protocol_identifier": 6, + "exporter": { + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z" + }, + "initiator_packets": 1, + "ingress_vrfid": 0, + "art_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "ingress_interface": 1, + "vlan_id": 0, + "type": "netflow_flow", + "art_count_responses": 0, + "art_client_network_time_sum": 0, + "art_server_response_time_sum": 0, + "waasoptimization_segment": 16, + "initiator_octets": 0, + "art_count_transactions": 0, + "responder_packets": 0, + "art_total_response_time_sum": 0, + "ip_ttl": 124, + "biflow_direction": 1, + "flow_end_sys_up_time": 564184248, + "egress_interface": 4, + "responder_octets": 0, + "art_network_time_sum": 0, + "connection_sum_duration_seconds": 59, + "flow_start_sys_up_time": 564184248, + "art_count_retransmissions": 0, + "art_server_response_time_maximum": 0, + "art_count_late_responses": 0, + "application_id": [ + 13, + 0, + 0, + 1 + ] + }, + "input": { + "type": "netflow" + }, + "ecs": { + "version": "1.8.0" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "client": { + "bytes": 0, + "packets": 1 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "network": { + "packets": 18, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 5286 + }, + "client": { + "bytes": 1877, + "packets": 11 + }, + "destination": { + "bytes": 3409, + "packets": 7 + }, + "input": { + "type": "netflow" + }, + "host": { + "name": "mbp.local" + }, + "event": { + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "server": { + "bytes": 3409, + "packets": 7 + }, + "source": { + "bytes": 1877, + "packets": 11 + }, + "agent": { + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75" + }, + "ecs": { + "version": "1.8.0" + }, + "observer": { + "ip": "127.0.0.1" + }, + "netflow": { + "responder_packets": 7, + "ingress_interface": 13, + "art_server_response_time_sum": 7, + "ip_ttl": 125, + "initiator_packets": 11, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0 + }, + "ingress_vrfid": 0, + "biflow_direction": 1, + "art_count_transactions": 4, + "art_server_network_time_sum": 4, + "art_count_responses": 4, + "type": "netflow_flow", + "art_total_transaction_time_sum": 23, + "ip_diff_serv_code_point": 0, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "flow_end_sys_up_time": 564200378, + "art_count_late_responses": 0, + "art_count_retransmissions": 0, + "vlan_id": 290, + "initiator_octets": 1877, + "responder_octets": 3409, + "flow_start_sys_up_time": 564184251, + "egress_interface": 10, + "art_server_response_time_maximum": 3, + "waasoptimization_segment": 16, + "connection_sum_duration_seconds": 32, + "art_network_time_sum": 6, + "new_connection_delta_count": 1, + "art_client_network_time_sum": 2, + "art_response_time_sum": 23, + "art_total_response_time_sum": 31, + "protocol_identifier": 6 + }, + "flow": { + "locality": "internal", + "id": "Vhs9T5k296w" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "destination": { + "bytes": 0, + "packets": 0 + }, + "network": { + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 2255, + "packets": 7, + "direction": "unknown" + }, + "host": { + "name": "mbp.local" + }, + "source": { + "bytes": 2255, + "packets": 7 + }, + "observer": { + "ip": "127.0.0.1" + }, + "client": { + "bytes": 2255, + "packets": 7 + }, + "server": { + "packets": 0, + "bytes": 0 + }, + "event": { + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "input": { + "type": "netflow" + }, + "agent": { + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat" + }, + "netflow": { + "ip_ttl": 61, + "art_network_time_sum": 0, + "responder_octets": 0, + "responder_packets": 0, + "art_count_retransmissions": 0, + "egress_interface": 13, + "biflow_direction": 1, + "vlan_id": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "new_connection_delta_count": 1, + "connection_sum_duration_seconds": 0, + "type": "netflow_flow", + "art_count_late_responses": 0, + "flow_start_sys_up_time": 564184040, + "art_response_time_sum": 0, + "exporter": { + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10 + }, + "art_client_network_time_sum": 0, + "protocol_identifier": 6, + "art_count_responses": 0, + "art_server_network_time_sum": 0, + "ingress_vrfid": 0, + "ingress_interface": 10, + "waasoptimization_segment": 16, + "initiator_packets": 7, + "art_server_response_time_maximum": 0, + "art_count_transactions": 0, + "ip_diff_serv_code_point": 0, + "art_total_transaction_time_sum": 0, + "initiator_octets": 2255, + "flow_end_sys_up_time": 564184286 + }, + "ecs": { + "version": "1.8.0" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "source": { + "packets": 5, + "bytes": 538 + }, + "netflow": { + "initiator_packets": 5, + "waasoptimization_segment": 16, + "art_total_transaction_time_sum": 0, + "vlan_id": 0, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "flow_start_sys_up_time": 564184284, + "ingress_interface": 10, + "connection_sum_duration_seconds": 0, + "biflow_direction": 1, + "art_server_response_time_sum": 0, + "responder_packets": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_network_time_sum": 0, + "responder_octets": 0, + "art_client_network_time_sum": 0, + "ingress_vrfid": 0, + "art_count_late_responses": 0, + "ip_ttl": 49, + "art_server_response_time_maximum": 0, + "type": "netflow_flow", + "ip_diff_serv_code_point": 0, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0 + }, + "art_server_network_time_sum": 0, + "art_response_time_sum": 0, + "art_total_response_time_sum": 0, + "egress_interface": 13, + "application_id": [ + 3, + 0, + 0, + 80 + ], + "initiator_octets": 538, + "art_count_transactions": 0, + "flow_end_sys_up_time": 564184314 + }, + "event": { + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow" + }, + "client": { + "packets": 5, + "bytes": 538 + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "input": { + "type": "netflow" + }, + "observer": { + "ip": "127.0.0.1" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "network": { + "transport": "tcp", + "iana_number": 6, + "bytes": 538, + "packets": 5, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=" + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "observer": { + "ip": "127.0.0.1" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "network": { + "packets": 36, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 7792 + }, + "input": { + "type": "netflow" + }, + "ecs": { + "version": "1.8.0" + }, + "event": { + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow" + }, + "source": { + "bytes": 1487, + "packets": 21 + }, + "netflow": { + "art_server_response_time_maximum": 25, + "art_network_time_sum": 9, + "ip_diff_serv_code_point": 0, + "art_total_transaction_time_sum": 59870, + "art_count_late_responses": 0, + "responder_octets": 6305, + "art_total_response_time_sum": 77, + "flow_start_sys_up_time": 564184296, + "exporter": { + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z" + }, + "biflow_direction": 1, + "art_server_response_time_sum": 55, + "connection_sum_duration_seconds": 181, + "art_count_retransmissions": 0, + "waasoptimization_segment": 16, + "egress_interface": 10, + "new_connection_delta_count": 2, + "flow_end_sys_up_time": 564214304, + "initiator_packets": 21, + "vlan_id": 290, + "art_count_transactions": 5, + "art_server_network_time_sum": 7, + "ip_ttl": 125, + "application_id": [ + 13, + 0, + 2, + 102 + ], + "art_client_network_time_sum": 2, + "ingress_vrfid": 0, + "initiator_octets": 1487, + "art_count_responses": 5, + "art_response_time_sum": 72, + "responder_packets": 15, + "ingress_interface": 13, + "type": "netflow_flow", + "protocol_identifier": 6 + }, + "destination": { + "bytes": 6305, + "packets": 15 + }, + "server": { + "bytes": 6305, + "packets": 15 + }, + "host": { + "name": "mbp.local" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 1487, + "packets": 21 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "server": { + "bytes": 1973, + "packets": 10 + }, + "observer": { + "ip": "127.0.0.1" + }, + "ecs": { + "version": "1.8.0" + }, + "netflow": { + "art_server_response_time_maximum": 14, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0 + }, + "vlan_id": 0, + "art_client_network_time_sum": 2, + "responder_packets": 7, + "initiator_octets": 1973, + "application_id": [ + 13, + 0, + 2, + 99 + ], + "flow_end_sys_up_time": 564200376, + "art_total_transaction_time_sum": 39, + "biflow_direction": 2, + "art_count_retransmissions": 0, + "waasoptimization_segment": 16, + "ip_diff_serv_code_point": 0, + "ingress_interface": 10, + "art_server_response_time_sum": 15, + "initiator_packets": 10, + "art_count_responses": 3, + "art_server_network_time_sum": 10, + "connection_sum_duration_seconds": 32, + "art_response_time_sum": 39, + "protocol_identifier": 6, + "flow_start_sys_up_time": 564184268, + "egress_interface": 13, + "art_count_transactions": 3, + "art_network_time_sum": 12, + "art_count_late_responses": 0, + "type": "netflow_flow", + "new_connection_delta_count": 1, + "responder_octets": 3110, + "ingress_vrfid": 0, + "ip_ttl": 61, + "art_total_response_time_sum": 45 + }, + "client": { + "bytes": 3110, + "packets": 7 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "source": { + "bytes": 3110, + "packets": 7 + }, + "event": { + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event" + }, + "input": { + "type": "netflow" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "host": { + "name": "mbp.local" + }, + "destination": { + "packets": 10, + "bytes": 1973 + }, + "network": { + "transport": "tcp", + "iana_number": 6, + "bytes": 5083, + "packets": 17, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "ecs": { + "version": "1.8.0" + }, + "server": { + "bytes": 2, + "packets": 4 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "destination": { + "bytes": 2, + "packets": 4 + }, + "client": { + "packets": 4, + "bytes": 2 + }, + "event": { + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ] + }, + "source": { + "bytes": 2, + "packets": 4 + }, + "input": { + "type": "netflow" + }, + "host": { + "name": "mbp.local" + }, + "network": { + "bytes": 4, + "packets": 8, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6 + }, + "netflow": { + "art_count_responses": 0, + "flow_start_sys_up_time": 564184300, + "flow_end_sys_up_time": 564214242, + "waasoptimization_segment": 16, + "art_response_time_sum": 0, + "art_client_network_time_sum": 0, + "initiator_octets": 2, + "initiator_packets": 4, + "ip_diff_serv_code_point": 0, + "art_total_response_time_sum": 0, + "ip_ttl": 124, + "art_count_retransmissions": 2, + "protocol_identifier": 6, + "responder_packets": 4, + "type": "netflow_flow", + "application_id": [ + 3, + 0, + 5, + 153 + ], + "art_count_transactions": 0, + "art_network_time_sum": 0, + "egress_interface": 13, + "ingress_interface": 10, + "vlan_id": 0, + "art_count_late_responses": 0, + "new_connection_delta_count": 0, + "art_total_transaction_time_sum": 0, + "art_server_network_time_sum": 0, + "biflow_direction": 2, + "art_server_response_time_maximum": 0, + "responder_octets": 2, + "ingress_vrfid": 0, + "exporter": { + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512 + }, + "art_server_response_time_sum": 0, + "connection_sum_duration_seconds": 119 + }, + "observer": { + "ip": "127.0.0.1" + }, + "agent": { + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "network": { + "packets": 4, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 2 + }, + "netflow": { + "flow_start_sys_up_time": 564184306, + "art_network_time_sum": 0, + "art_total_response_time_sum": 0, + "flow_end_sys_up_time": 564184580, + "application_id": [ + 3, + 0, + 0, + 80 + ], + "new_connection_delta_count": 0, + "biflow_direction": 1, + "waasoptimization_segment": 16, + "exporter": { + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809" + }, + "vlan_id": 290, + "art_total_transaction_time_sum": 0, + "initiator_packets": 2, + "art_server_network_time_sum": 0, + "egress_interface": 10, + "ip_diff_serv_code_point": 0, + "protocol_identifier": 6, + "art_response_time_sum": 0, + "ip_ttl": 125, + "art_count_responses": 0, + "initiator_octets": 2, + "art_server_response_time_maximum": 0, + "type": "netflow_flow", + "responder_packets": 2, + "art_server_response_time_sum": 0, + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "connection_sum_duration_seconds": 179, + "art_count_transactions": 0, + "ingress_interface": 13, + "ingress_vrfid": 0, + "art_count_retransmissions": 2, + "responder_octets": 0 + }, + "source": { + "bytes": 2, + "packets": 2 + }, + "input": { + "type": "netflow" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "server": { + "packets": 2, + "bytes": 0 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, + "event": { + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z" + }, + "observer": { + "ip": "127.0.0.1" + }, + "client": { + "bytes": 2, + "packets": 2 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "agent": { + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat" + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "event": { + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "observer": { + "ip": "127.0.0.1" + }, + "source": { + "bytes": 0, + "packets": 4 + }, + "network": { + "packets": 6, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 0 + }, + "input": { + "type": "netflow" + }, + "ecs": { + "version": "1.8.0" + }, + "client": { + "bytes": 0, + "packets": 4 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, + "netflow": { + "art_server_response_time_sum": 0, + "art_server_network_time_sum": 0, + "ip_diff_serv_code_point": 0, + "art_response_time_sum": 0, + "flow_start_sys_up_time": 564184326, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "biflow_direction": 1, + "ip_ttl": 125, + "responder_packets": 2, + "responder_octets": 0, + "art_server_response_time_maximum": 0, + "initiator_packets": 4, + "type": "netflow_flow", + "art_total_transaction_time_sum": 18, + "egress_interface": 10, + "flow_end_sys_up_time": 564184326, + "art_total_response_time_sum": 0, + "vlan_id": 290, + "waasoptimization_segment": 16, + "ingress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0 + }, + "initiator_octets": 0, + "art_client_network_time_sum": 0, + "connection_sum_duration_seconds": 119, + "art_network_time_sum": 0, + "art_count_retransmissions": 0, + "art_count_late_responses": 0, + "art_count_transactions": 2, + "ingress_vrfid": 0, + "protocol_identifier": 6, + "new_connection_delta_count": 0, + "art_count_responses": 0 + }, + "host": { + "name": "mbp.local" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "network": { + "transport": "tcp", + "iana_number": 6, + "bytes": 1179, + "packets": 7, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=" + }, + "observer": { + "ip": "127.0.0.1" + }, + "host": { + "name": "mbp.local" + }, + "server": { + "bytes": 174, + "packets": 3 + }, + "destination": { + "bytes": 174, + "packets": 3 + }, + "netflow": { + "waasoptimization_segment": 16, + "initiator_packets": 4, + "art_count_retransmissions": 1, + "flow_start_sys_up_time": 564184326, + "connection_sum_duration_seconds": 119, + "initiator_octets": 1005, + "application_id": [ + 3, + 0, + 5, + 153 + ], + "ingress_interface": 13, + "art_server_response_time_sum": 5, + "responder_packets": 3, + "ip_ttl": 125, + "art_client_network_time_sum": 0, + "art_count_transactions": 1, + "art_total_transaction_time_sum": 12, + "protocol_identifier": 6, + "art_network_time_sum": 0, + "new_connection_delta_count": 0, + "art_server_response_time_maximum": 5, + "art_response_time_sum": 5, + "type": "netflow_flow", + "responder_octets": 174, + "art_server_network_time_sum": 0, + "art_count_responses": 1, + "egress_interface": 10, + "flow_end_sys_up_time": 564214476, + "biflow_direction": 1, + "ingress_vrfid": 0, + "art_total_response_time_sum": 8, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0 + }, + "ip_diff_serv_code_point": 0, + "vlan_id": 290, + "art_count_late_responses": 0 + }, + "event": { + "kind": "event", + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z" + }, + "client": { + "bytes": 1005, + "packets": 4 + }, + "input": { + "type": "netflow" + }, + "ecs": { + "version": "1.8.0" + }, + "agent": { + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0", + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75" + }, + "source": { + "bytes": 1005, + "packets": 4 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "netflow": { + "art_server_network_time_sum": 0, + "vlan_id": 0, + "art_count_transactions": 2, + "responder_packets": 4, + "type": "netflow_flow", + "ingress_interface": 10, + "flow_end_sys_up_time": 564184490, + "protocol_identifier": 6, + "ingress_vrfid": 0, + "initiator_octets": 0, + "exporter": { + "version": 10, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512 + }, + "art_total_transaction_time_sum": 119644, + "art_response_time_sum": 0, + "responder_octets": 138, + "art_client_network_time_sum": 0, + "initiator_packets": 2, + "flow_start_sys_up_time": 564184336, + "ip_diff_serv_code_point": 0, + "connection_sum_duration_seconds": 238, + "egress_interface": 13, + "art_total_response_time_sum": 0, + "waasoptimization_segment": 16, + "art_network_time_sum": 0, + "art_server_response_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_count_late_responses": 0, + "art_count_retransmissions": 0, + "biflow_direction": 2, + "art_count_responses": 0, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "new_connection_delta_count": 0, + "ip_ttl": 61 + }, + "network": { + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 138, + "packets": 6, + "direction": "unknown" + }, + "source": { + "packets": 4, + "bytes": 138 + }, + "input": { + "type": "netflow" + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "observer": { + "ip": "127.0.0.1" + }, + "destination": { + "bytes": 0, + "packets": 2 + }, + "event": { + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "category": "network_session" + }, + "client": { + "bytes": 138, + "packets": 4 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "host": { + "name": "mbp.local" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "netflow": { + "art_total_response_time_sum": 0, + "initiator_octets": 0, + "flow_end_sys_up_time": 564184350, + "art_network_time_sum": 0, + "ingress_interface": 10, + "responder_octets": 31, + "art_server_response_time_sum": 0, + "art_count_transactions": 1, + "ingress_vrfid": 0, + "vlan_id": 0, + "application_id": [ + 13, + 0, + 1, + 197 + ], + "biflow_direction": 2, + "new_connection_delta_count": 0, + "initiator_packets": 1, + "art_client_network_time_sum": 0, + "exporter": { + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10 + }, + "art_response_time_sum": 0, + "type": "netflow_flow", + "art_count_responses": 0, + "waasoptimization_segment": 16, + "art_count_retransmissions": 0, + "ip_diff_serv_code_point": 0, + "ip_ttl": 43, + "art_count_late_responses": 0, + "art_total_transaction_time_sum": 59790, + "protocol_identifier": 6, + "flow_start_sys_up_time": 564184348, + "responder_packets": 2, + "art_server_response_time_maximum": 0, + "art_server_network_time_sum": 0, + "connection_sum_duration_seconds": 119, + "egress_interface": 13 + }, + "network": { + "iana_number": 6, + "bytes": 31, + "packets": 3, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp" + }, + "observer": { + "ip": "127.0.0.1" + }, + "client": { + "bytes": 31, + "packets": 2 + }, + "source": { + "bytes": 31, + "packets": 2 + }, + "ecs": { + "version": "1.8.0" + }, + "server": { + "packets": 1, + "bytes": 0 + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "event": { + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event" + }, + "destination": { + "bytes": 0, + "packets": 1 + }, + "input": { + "type": "netflow" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "event": { + "category": "network_session", + "action": "netflow_flow", + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event" + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "input": { + "type": "netflow" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.8.0" + }, + "client": { + "bytes": 13482, + "packets": 17 + }, + "destination": { + "bytes": 8989, + "packets": 19 + }, + "server": { + "bytes": 8989, + "packets": 19 + }, + "source": { + "bytes": 13482, + "packets": 17 + }, + "network": { + "packets": 36, + "direction": "unknown", + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 22471 + }, + "host": { + "name": "mbp.local" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "responder_packets": 17, + "new_connection_delta_count": 1, + "art_count_retransmissions": 0, + "art_count_transactions": 6, + "exporter": { + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10 + }, + "art_count_responses": 6, + "art_server_response_time_sum": 33, + "flow_end_sys_up_time": 564184586, + "art_total_transaction_time_sum": 43, + "egress_interface": 13, + "flow_start_sys_up_time": 564184356, + "art_network_time_sum": 3, + "initiator_packets": 19, + "type": "netflow_flow", + "art_response_time_sum": 33, + "ingress_interface": 10, + "art_server_network_time_sum": 0, + "waasoptimization_segment": 16, + "ingress_vrfid": 0, + "art_client_network_time_sum": 3, + "protocol_identifier": 6, + "responder_octets": 13482, + "ip_diff_serv_code_point": 0, + "art_total_response_time_sum": 51, + "art_count_late_responses": 0, + "ip_ttl": 124, + "art_server_response_time_maximum": 28, + "vlan_id": 0, + "biflow_direction": 2, + "initiator_octets": 8989, + "connection_sum_duration_seconds": 0 + }, + "observer": { + "ip": "127.0.0.1" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "network": { + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "transport": "tcp", + "iana_number": 6, + "bytes": 261718, + "packets": 369, + "direction": "unknown" + }, + "netflow": { + "ip_diff_serv_code_point": 0, + "connection_sum_duration_seconds": 116, + "art_count_transactions": 25, + "egress_interface": 13, + "new_connection_delta_count": 8, + "vlan_id": 0, + "biflow_direction": 2, + "art_response_time_sum": 301, + "art_total_response_time_sum": 363, + "art_network_time_sum": 58, + "art_server_network_time_sum": 38, + "type": "netflow_flow", + "flow_end_sys_up_time": 564215336, + "art_server_response_time_maximum": 31, + "art_server_response_time_sum": 168, + "ip_ttl": 61, + "art_total_transaction_time_sum": 332, + "responder_octets": 28373, + "protocol_identifier": 6, + "ingress_interface": 10, + "application_id": [ + 13, + 0, + 2, + 99 + ], + "responder_packets": 133, + "art_count_responses": 25, + "art_count_late_responses": 0, + "flow_start_sys_up_time": 564184380, + "ingress_vrfid": 0, + "waasoptimization_segment": 16, + "art_count_retransmissions": 4, + "exporter": { + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "address": "127.0.0.1:62809", + "source_id": 512, + "version": 10 + }, + "initiator_octets": 233345, + "initiator_packets": 236, + "art_client_network_time_sum": 20 + }, + "client": { + "bytes": 28373, + "packets": 133 + }, + "server": { + "bytes": 233345, + "packets": 236 + }, + "source": { + "bytes": 28373, + "packets": 133 + }, + "observer": { + "ip": "127.0.0.1" + }, + "input": { + "type": "netflow" + }, + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "flow": { + "locality": "internal", + "id": "Vhs9T5k296w" + }, + "destination": { + "packets": 236, + "bytes": 233345 + }, + "event": { + "type": [ + "connection" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "category": "network_session", + "action": "netflow_flow" + }, + "ecs": { + "version": "1.8.0" + }, + "host": { + "name": "mbp.local" + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2020-04-16T23:22:51Z", + "destination": { + "ip": "10.36.236.100", + "locality": "internal", + "port": 54594 + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "6mUV1nPVG80", + "locality": "internal" + }, + "netflow": { + "destination_ipv4_address": "10.36.236.100", + "destination_transport_port": 54594, + "egress_interface": 1, + "exporter": { + "address": "81.2.69.144:10000", + "source_id": 1, + "timestamp": "2020-04-16T23:22:51Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_milliseconds": "2020-04-16T23:22:48.963Z", + "flow_end_reason": 3, + "flow_start_milliseconds": "2020-04-16T23:22:48.96Z", + "ingress_interface": 1, + "octet_delta_count": 1855, + "packet_delta_count": 5, + "protocol_identifier": 6, + "source_ipv4_address": "10.127.32.11", + "source_transport_port": 53, + "tcp_control_bits": 27, + "type": "netflow_flow" + }, + "network": { + "bytes": 1855, + "community_id": "1:+/kh1SKruHHnZ5JGSMfWk9nZx8o=", + "direction": "unknown", + "iana_number": 6, + "packets": 5, + "transport": "tcp" + }, + "observer": { + "ip": "81.2.69.144" + }, + "related": { + "ip": [ + "10.36.236.100", + "10.127.32.11" + ] + }, + "source": { + "bytes": 1855, + "ip": "10.127.32.11", + "locality": "internal", + "packets": 5, + "port": 53 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2020-04-16T23:22:51Z", + "destination": { + "ip": "10.36.236.100", + "locality": "internal", + "port": 49180 + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "HVg4SttTufc", + "locality": "external" + }, + "netflow": { + "destination_ipv4_address": "10.36.236.100", + "destination_transport_port": 49180, + "egress_interface": 1, + "exporter": { + "address": "81.2.69.144:10000", + "source_id": 1, + "timestamp": "2020-04-16T23:22:51Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_milliseconds": "2020-04-16T23:22:48.404Z", + "flow_end_reason": 3, + "flow_start_milliseconds": "2020-04-16T23:22:47.995Z", + "ingress_interface": 1, + "octet_delta_count": 7158, + "packet_delta_count": 10, + "protocol_identifier": 6, + "source_ipv4_address": "89.160.20.112", + "source_transport_port": 443, + "tcp_control_bits": 27, + "type": "netflow_flow" + }, + "network": { + "bytes": 7158, + "community_id": "1:Zyly7BCJ6D7luuRJJazRxZ/mFZM=", + "direction": "unknown", + "iana_number": 6, + "packets": 10, + "transport": "tcp" + }, + "observer": { + "ip": "81.2.69.144" + }, + "related": { + "ip": [ + "10.36.236.100", + "89.160.20.112" + ] + }, + "source": { + "bytes": 7158, + "ip": "89.160.20.112", + "locality": "external", + "packets": 10, + "port": 443 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2020-04-16T23:22:51Z", + "destination": { + "ip": "89.160.20.112", + "locality": "external", + "port": 443 + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "HVg4SttTufc", + "locality": "external" + }, + "netflow": { + "destination_ipv4_address": "89.160.20.112", + "destination_transport_port": 443, + "egress_interface": 1, + "exporter": { + "address": "81.2.69.144:10000", + "source_id": 1, + "timestamp": "2020-04-16T23:22:51Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_milliseconds": "2020-04-16T23:22:48.404Z", + "flow_end_reason": 3, + "flow_start_milliseconds": "2020-04-16T23:22:47.92Z", + "ingress_interface": 1, + "octet_delta_count": 1538, + "packet_delta_count": 11, + "protocol_identifier": 6, + "source_ipv4_address": "10.36.236.100", + "source_transport_port": 49180, + "tcp_control_bits": 27, + "type": "netflow_flow" + }, + "network": { + "bytes": 1538, + "community_id": "1:Zyly7BCJ6D7luuRJJazRxZ/mFZM=", + "direction": "unknown", + "iana_number": 6, + "packets": 11, + "transport": "tcp" + }, + "observer": { + "ip": "81.2.69.144" + }, + "related": { + "ip": [ + "10.36.236.100", + "89.160.20.112" + ] + }, + "source": { + "bytes": 1538, + "ip": "10.36.236.100", + "locality": "internal", + "packets": 11, + "port": 49180 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-04-15T03:30:00Z", + "destination": { + "ip": "0.0.0.0", + "locality": "internal", + "port": 135 + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "GYmhjYyvaAI", + "locality": "internal" + }, + "netflow": { + "bgp_destination_as_number": 0, + "bgp_source_as_number": 0, + "destination_ipv4_address": "0.0.0.0", + "destination_ipv6_address": "2a02:cf40::2", + "destination_transport_port": 135, + "exporter": { + "address": "81.2.69.144:4444", + "source_id": 2875616939, + "timestamp": "2018-04-15T03:30:00Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_seconds": "2018-04-15T03:29:02Z", + "flow_start_seconds": "2018-04-15T03:28:44Z", + "procera_base_service": "IP protocol 58 (IPv6-ICMP)", + "procera_content_categories": "", + "procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED", + "procera_http_content_type": "", + "procera_http_file_length": 0, + "procera_http_location": "", + "procera_http_url": "", + "procera_incoming_octets": 86, + "procera_outgoing_octets": 78, + "procera_service": "IP protocol 58 (IPv6-ICMP)", + "procera_subscriber_identifier": "", + "procera_template_name": "IPFIX", + "protocol_identifier": 58, + "source_ipv4_address": "0.0.0.0", + "source_ipv6_address": "2a02:cf40::1", + "source_transport_port": 136, + "type": "netflow_flow" + }, + "network": { + "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=", + "direction": "unknown", + "iana_number": 58, + "transport": "ipv6-icmp" + }, + "observer": { + "ip": "81.2.69.144" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "source": { + "ip": "0.0.0.0", + "locality": "internal", + "port": 136 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + }, + { + "@timestamp": "2018-04-15T03:30:00Z", + "destination": { + "ip": "0.0.0.0", + "locality": "internal", + "port": 135 + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "GYmhjYyvaAI", + "locality": "internal" + }, + "netflow": { + "bgp_destination_as_number": 0, + "bgp_source_as_number": 0, + "destination_ipv6_address": "2a02:cf40::2", + "destination_transport_port": 135, + "exporter": { + "address": "81.2.69.144:4444", + "source_id": 2875616939, + "timestamp": "2018-04-15T03:30:00Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_seconds": "2018-04-15T03:29:02Z", + "flow_start_seconds": "2018-04-15T03:28:44Z", + "procera_base_service": "IP protocol 58 (IPv6-ICMP)", + "procera_content_categories": "", + "procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED", + "procera_http_content_type": "", + "procera_http_file_length": 0, + "procera_http_location": "", + "procera_http_url": "", + "procera_incoming_octets": 86, + "procera_outgoing_octets": 78, + "procera_service": "IP protocol 58 (IPv6-ICMP)", + "procera_subscriber_identifier": "", + "procera_template_name": "IPFIX", + "protocol_identifier": 58, + "source_ipv6_address": "2a02:cf40::1", + "source_transport_port": 136, + "type": "netflow_flow" + }, + "network": { + "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=", + "direction": "unknown", + "iana_number": 58, + "transport": "ipv6-icmp" + }, + "observer": { + "ip": "81.2.69.144" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "source": { + "ip": "0.0.0.0", + "locality": "internal", + "port": 136 + }, + "_conf": { + "endace_url": "https://test.test.local", + "endace_datasources": "tag:rotation-file", + "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress", + "endace_lookback": 10 + } + } + ] +} \ No newline at end of file diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json new file mode 100644 index 00000000000..3bfddfa3d57 --- /dev/null +++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json @@ -0,0 +1,3594 @@ +{ + "expected": [ + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 719, + "packets": 5 + }, + "destination": { + "bytes": 0, + "ip": "10.36.236.100", + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=&end=&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=10.36.236.100", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184158, + "flow_start_sys_up_time": 564184140, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 719, + "initiator_packets": 5, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 719, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 5, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 719, + "packets": 5 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 1477, + "packets": 6 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=&end=&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=10.127.32.11", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184154, + "flow_start_sys_up_time": 564184140, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 1477, + "initiator_packets": 6, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 1477, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 6, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 1477, + "ip": "10.127.32.11", + "packets": 6 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 1, + "packets": 1 + }, + "destination": { + "bytes": 0, + "packets": 1 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 2, + 8 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 1, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 89, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184144, + "flow_start_sys_up_time": 564184142, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 1, + "initiator_packets": 1, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 1, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 1, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 2, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 1 + }, + "source": { + "bytes": 1, + "packets": 1 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 108580, + "packets": 79 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 2, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184216, + "flow_start_sys_up_time": 564184131, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 108580, + "initiator_packets": 79, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 108580, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 79, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 108580, + "packets": 79 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 342, + "packets": 5 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184208, + "flow_start_sys_up_time": 564184176, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 342, + "initiator_packets": 5, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 342, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 5, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 342, + "packets": 5 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 1851, + "packets": 17 + }, + "destination": { + "bytes": 9437, + "packets": 18 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 2, + "art_count_late_responses": 0, + "art_count_responses": 3, + "art_count_retransmissions": 0, + "art_count_transactions": 2, + "art_network_time_sum": 97, + "art_response_time_sum": 153, + "art_server_network_time_sum": 95, + "art_server_response_time_maximum": 8, + "art_server_response_time_sum": 13, + "art_total_response_time_sum": 156, + "art_total_transaction_time_sum": 100, + "biflow_direction": 1, + "connection_sum_duration_seconds": 24, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564197394, + "flow_start_sys_up_time": 564184067, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 1851, + "initiator_packets": 17, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 2, + "protocol_identifier": 6, + "responder_octets": 9437, + "responder_packets": 18, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 11288, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 35, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 9437, + "packets": 18 + }, + "source": { + "bytes": 1851, + "packets": 17 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 51480, + "packets": 39 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184216, + "flow_start_sys_up_time": 564184182, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 51480, + "initiator_packets": 39, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 51480, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 39, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 51480, + "packets": 39 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 5135, + "packets": 55 + }, + "destination": { + "bytes": 36894, + "packets": 47 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 10, + "art_count_late_responses": 0, + "art_count_responses": 15, + "art_count_retransmissions": 0, + "art_count_transactions": 14, + "art_network_time_sum": 374, + "art_response_time_sum": 516, + "art_server_network_time_sum": 364, + "art_server_response_time_maximum": 27, + "art_server_response_time_sum": 117, + "art_total_response_time_sum": 541, + "art_total_transaction_time_sum": 512, + "biflow_direction": 1, + "connection_sum_duration_seconds": 35, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564203810, + "flow_start_sys_up_time": 564184040, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 5135, + "initiator_packets": 55, + "ip_diff_serv_code_point": 0, + "ip_ttl": 126, + "new_connection_delta_count": 6, + "protocol_identifier": 6, + "responder_octets": 36894, + "responder_packets": 47, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 42029, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 102, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 36894, + "packets": 47 + }, + "source": { + "bytes": 5135, + "packets": 55 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 6533, + "packets": 14 + }, + "destination": { + "bytes": 6400, + "packets": 20 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 2, + 99 + ], + "art_client_network_time_sum": 5, + "art_count_late_responses": 0, + "art_count_responses": 6, + "art_count_retransmissions": 1, + "art_count_transactions": 6, + "art_network_time_sum": 23, + "art_response_time_sum": 123, + "art_server_network_time_sum": 18, + "art_server_response_time_maximum": 31, + "art_server_response_time_sum": 78, + "art_total_response_time_sum": 138, + "art_total_transaction_time_sum": 123, + "biflow_direction": 2, + "connection_sum_duration_seconds": 64, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564200378, + "flow_start_sys_up_time": 564184163, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 6400, + "initiator_packets": 20, + "ip_diff_serv_code_point": 0, + "ip_ttl": 61, + "new_connection_delta_count": 2, + "protocol_identifier": 6, + "responder_octets": 6533, + "responder_packets": 14, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 12933, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 34, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 6400, + "packets": 20 + }, + "source": { + "bytes": 6533, + "packets": 14 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 5684, + "packets": 491 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 0, + 49 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 109, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564185840, + "flow_start_sys_up_time": 564184196, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 5684, + "initiator_packets": 491, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 5684, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 491, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 5684, + "packets": 491 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 4965, + "packets": 13 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184254, + "flow_start_sys_up_time": 564184154, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 4965, + "initiator_packets": 13, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 4965, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 13, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 4965, + "packets": 13 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 138, + "packets": 4 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 2, + 99 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 2, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 119878, + "biflow_direction": 2, + "connection_sum_duration_seconds": 239, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184362, + "flow_start_sys_up_time": 564184214, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 0, + "initiator_packets": 2, + "ip_diff_serv_code_point": 0, + "ip_ttl": 61, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 138, + "responder_packets": 4, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 138, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 6, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "source": { + "bytes": 138, + "packets": 4 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 1, + "packets": 1 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 2, + 8 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 1, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 44, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184220, + "flow_start_sys_up_time": 564184220, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 1, + "initiator_packets": 1, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 1, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 1, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 1, + "packets": 1 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 6079, + "packets": 10 + }, + "destination": { + "bytes": 1571, + "packets": 13 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 3, + "art_count_late_responses": 0, + "art_count_responses": 3, + "art_count_retransmissions": 0, + "art_count_transactions": 2, + "art_network_time_sum": 149, + "art_response_time_sum": 444, + "art_server_network_time_sum": 146, + "art_server_response_time_maximum": 3, + "art_server_response_time_sum": 6, + "art_total_response_time_sum": 453, + "art_total_transaction_time_sum": 296, + "biflow_direction": 2, + "connection_sum_duration_seconds": 62, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564215068, + "flow_start_sys_up_time": 564184067, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 1571, + "initiator_packets": 13, + "ip_diff_serv_code_point": 0, + "ip_ttl": 220, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 6079, + "responder_packets": 10, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 7650, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 23, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 1571, + "packets": 13 + }, + "source": { + "bytes": 6079, + "packets": 10 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 2807, + "packets": 6 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184252, + "flow_start_sys_up_time": 564183878, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 2807, + "initiator_packets": 6, + "ip_diff_serv_code_point": 0, + "ip_ttl": 61, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 2807, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 6, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 2807, + "packets": 6 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 0, + "packets": 1 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 0, + 1 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 59, + "egress_interface": 4, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184248, + "flow_start_sys_up_time": 564184248, + "ingress_interface": 1, + "ingress_vrfid": 0, + "initiator_octets": 0, + "initiator_packets": 1, + "ip_diff_serv_code_point": 0, + "ip_ttl": 124, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 0, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 1, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 0, + "packets": 1 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 1877, + "packets": 11 + }, + "destination": { + "bytes": 3409, + "packets": 7 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 2, + "art_count_late_responses": 0, + "art_count_responses": 4, + "art_count_retransmissions": 0, + "art_count_transactions": 4, + "art_network_time_sum": 6, + "art_response_time_sum": 23, + "art_server_network_time_sum": 4, + "art_server_response_time_maximum": 3, + "art_server_response_time_sum": 7, + "art_total_response_time_sum": 31, + "art_total_transaction_time_sum": 23, + "biflow_direction": 1, + "connection_sum_duration_seconds": 32, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564200378, + "flow_start_sys_up_time": 564184251, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 1877, + "initiator_packets": 11, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 3409, + "responder_packets": 7, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 5286, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 18, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 3409, + "packets": 7 + }, + "source": { + "bytes": 1877, + "packets": 11 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 2255, + "packets": 7 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184286, + "flow_start_sys_up_time": 564184040, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 2255, + "initiator_packets": 7, + "ip_diff_serv_code_point": 0, + "ip_ttl": 61, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 2255, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 7, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 2255, + "packets": 7 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 538, + "packets": 5 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.938Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184314, + "flow_start_sys_up_time": 564184284, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 538, + "initiator_packets": 5, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 538, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 5, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 538, + "packets": 5 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 1487, + "packets": 21 + }, + "destination": { + "bytes": 6305, + "packets": 15 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 2, + 102 + ], + "art_client_network_time_sum": 2, + "art_count_late_responses": 0, + "art_count_responses": 5, + "art_count_retransmissions": 0, + "art_count_transactions": 5, + "art_network_time_sum": 9, + "art_response_time_sum": 72, + "art_server_network_time_sum": 7, + "art_server_response_time_maximum": 25, + "art_server_response_time_sum": 55, + "art_total_response_time_sum": 77, + "art_total_transaction_time_sum": 59870, + "biflow_direction": 1, + "connection_sum_duration_seconds": 181, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564214304, + "flow_start_sys_up_time": 564184296, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 1487, + "initiator_packets": 21, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 2, + "protocol_identifier": 6, + "responder_octets": 6305, + "responder_packets": 15, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 7792, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 36, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 6305, + "packets": 15 + }, + "source": { + "bytes": 1487, + "packets": 21 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 3110, + "packets": 7 + }, + "destination": { + "bytes": 1973, + "packets": 10 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 2, + 99 + ], + "art_client_network_time_sum": 2, + "art_count_late_responses": 0, + "art_count_responses": 3, + "art_count_retransmissions": 0, + "art_count_transactions": 3, + "art_network_time_sum": 12, + "art_response_time_sum": 39, + "art_server_network_time_sum": 10, + "art_server_response_time_maximum": 14, + "art_server_response_time_sum": 15, + "art_total_response_time_sum": 45, + "art_total_transaction_time_sum": 39, + "biflow_direction": 2, + "connection_sum_duration_seconds": 32, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564200376, + "flow_start_sys_up_time": 564184268, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 1973, + "initiator_packets": 10, + "ip_diff_serv_code_point": 0, + "ip_ttl": 61, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 3110, + "responder_packets": 7, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 5083, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 17, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 1973, + "packets": 10 + }, + "source": { + "bytes": 3110, + "packets": 7 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 2, + "packets": 4 + }, + "destination": { + "bytes": 2, + "packets": 4 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 5, + 153 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 2, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 2, + "connection_sum_duration_seconds": 119, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564214242, + "flow_start_sys_up_time": 564184300, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 2, + "initiator_packets": 4, + "ip_diff_serv_code_point": 0, + "ip_ttl": 124, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 2, + "responder_packets": 4, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 4, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 8, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 2, + "packets": 4 + }, + "source": { + "bytes": 2, + "packets": 4 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 2, + "packets": 2 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 2, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 179, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184580, + "flow_start_sys_up_time": 564184306, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 2, + "initiator_packets": 2, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 2, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 2, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 4, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "source": { + "bytes": 2, + "packets": 2 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 0, + "packets": 4 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 2, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 18, + "biflow_direction": 1, + "connection_sum_duration_seconds": 119, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184326, + "flow_start_sys_up_time": 564184326, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 0, + "initiator_packets": 4, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 2, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 0, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 6, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "source": { + "bytes": 0, + "packets": 4 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 1005, + "packets": 4 + }, + "destination": { + "bytes": 174, + "packets": 3 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 5, + 153 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 1, + "art_count_retransmissions": 1, + "art_count_transactions": 1, + "art_network_time_sum": 0, + "art_response_time_sum": 5, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 5, + "art_server_response_time_sum": 5, + "art_total_response_time_sum": 8, + "art_total_transaction_time_sum": 12, + "biflow_direction": 1, + "connection_sum_duration_seconds": 119, + "egress_interface": 10, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564214476, + "flow_start_sys_up_time": 564184326, + "ingress_interface": 13, + "ingress_vrfid": 0, + "initiator_octets": 1005, + "initiator_packets": 4, + "ip_diff_serv_code_point": 0, + "ip_ttl": 125, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 174, + "responder_packets": 3, + "type": "netflow_flow", + "vlan_id": 290, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 1179, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 7, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 174, + "packets": 3 + }, + "source": { + "bytes": 1005, + "packets": 4 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 138, + "packets": 4 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 2, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 119644, + "biflow_direction": 2, + "connection_sum_duration_seconds": 238, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184490, + "flow_start_sys_up_time": 564184336, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 0, + "initiator_packets": 2, + "ip_diff_serv_code_point": 0, + "ip_ttl": 61, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 138, + "responder_packets": 4, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 138, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 6, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "source": { + "bytes": 138, + "packets": 4 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 31, + "packets": 2 + }, + "destination": { + "bytes": 0, + "packets": 1 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 1, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 59790, + "biflow_direction": 2, + "connection_sum_duration_seconds": 119, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184350, + "flow_start_sys_up_time": 564184348, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 0, + "initiator_packets": 1, + "ip_diff_serv_code_point": 0, + "ip_ttl": 43, + "new_connection_delta_count": 0, + "protocol_identifier": 6, + "responder_octets": 31, + "responder_packets": 2, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 31, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 3, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 0, + "packets": 1 + }, + "source": { + "bytes": 31, + "packets": 2 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 13482, + "packets": 17 + }, + "destination": { + "bytes": 8989, + "packets": 19 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 1, + 197 + ], + "art_client_network_time_sum": 3, + "art_count_late_responses": 0, + "art_count_responses": 6, + "art_count_retransmissions": 0, + "art_count_transactions": 6, + "art_network_time_sum": 3, + "art_response_time_sum": 33, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 28, + "art_server_response_time_sum": 33, + "art_total_response_time_sum": 51, + "art_total_transaction_time_sum": 43, + "biflow_direction": 2, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184586, + "flow_start_sys_up_time": 564184356, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 8989, + "initiator_packets": 19, + "ip_diff_serv_code_point": 0, + "ip_ttl": 124, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 13482, + "responder_packets": 17, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 22471, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 36, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 8989, + "packets": 19 + }, + "source": { + "bytes": 13482, + "packets": 17 + } + }, + { + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c", + "id": "508165af-d28d-4de1-bbb3-e81aafd32d75", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "bytes": 28373, + "packets": 133 + }, + "destination": { + "bytes": 233345, + "packets": 236 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network", + "session" + ], + "created": "2021-05-19T09:08:51.939Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "host": { + "name": "mbp.local" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 13, + 0, + 2, + 99 + ], + "art_client_network_time_sum": 20, + "art_count_late_responses": 0, + "art_count_responses": 25, + "art_count_retransmissions": 4, + "art_count_transactions": 25, + "art_network_time_sum": 58, + "art_response_time_sum": 301, + "art_server_network_time_sum": 38, + "art_server_response_time_maximum": 31, + "art_server_response_time_sum": 168, + "art_total_response_time_sum": 363, + "art_total_transaction_time_sum": 332, + "biflow_direction": 2, + "connection_sum_duration_seconds": 116, + "egress_interface": 13, + "exporter": { + "address": "127.0.0.1:62809", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564215336, + "flow_start_sys_up_time": 564184380, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 233345, + "initiator_packets": 236, + "ip_diff_serv_code_point": 0, + "ip_ttl": 61, + "new_connection_delta_count": 8, + "protocol_identifier": 6, + "responder_octets": 28373, + "responder_packets": 133, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 261718, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 369, + "transport": "tcp" + }, + "observer": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 233345, + "packets": 236 + }, + "source": { + "bytes": 28373, + "packets": 133 + } + }, + { + "@timestamp": "2020-04-16T23:22:51Z", + "destination": { + "ip": "10.36.236.100", + "locality": "internal", + "port": 54594 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079068960&end=1587079668963&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.127.32.11%2610.36.236.100", + "type": [ + "connection" + ] + }, + "flow": { + "id": "6mUV1nPVG80", + "locality": "internal" + }, + "netflow": { + "destination_ipv4_address": "10.36.236.100", + "destination_transport_port": 54594, + "egress_interface": 1, + "exporter": { + "address": "81.2.69.144:10000", + "source_id": 1, + "timestamp": "2020-04-16T23:22:51Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_milliseconds": "2020-04-16T23:22:48.963Z", + "flow_end_reason": 3, + "flow_start_milliseconds": "2020-04-16T23:22:48.96Z", + "ingress_interface": 1, + "octet_delta_count": 1855, + "packet_delta_count": 5, + "protocol_identifier": 6, + "source_ipv4_address": "10.127.32.11", + "source_transport_port": 53, + "tcp_control_bits": 27, + "type": "netflow_flow" + }, + "network": { + "bytes": 1855, + "community_id": "1:+/kh1SKruHHnZ5JGSMfWk9nZx8o=", + "direction": "internal", + "iana_number": "6", + "packets": 5, + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "ip": [ + "81.2.69.144" + ] + }, + "related": { + "ip": [ + "10.36.236.100", + "10.127.32.11" + ] + }, + "source": { + "bytes": 1855, + "ip": "10.127.32.11", + "locality": "internal", + "packets": 5, + "port": 53 + } + }, + { + "@timestamp": "2020-04-16T23:22:51Z", + "destination": { + "ip": "10.36.236.100", + "locality": "internal", + "port": 49180 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079067995&end=1587079668404&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=89.160.20.112%2610.36.236.100", + "type": [ + "connection" + ] + }, + "flow": { + "id": "HVg4SttTufc", + "locality": "external" + }, + "netflow": { + "destination_ipv4_address": "10.36.236.100", + "destination_transport_port": 49180, + "egress_interface": 1, + "exporter": { + "address": "81.2.69.144:10000", + "source_id": 1, + "timestamp": "2020-04-16T23:22:51Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_milliseconds": "2020-04-16T23:22:48.404Z", + "flow_end_reason": 3, + "flow_start_milliseconds": "2020-04-16T23:22:47.995Z", + "ingress_interface": 1, + "octet_delta_count": 7158, + "packet_delta_count": 10, + "protocol_identifier": 6, + "source_ipv4_address": "89.160.20.112", + "source_transport_port": 443, + "tcp_control_bits": 27, + "type": "netflow_flow" + }, + "network": { + "bytes": 7158, + "community_id": "1:Zyly7BCJ6D7luuRJJazRxZ/mFZM=", + "direction": "inbound", + "iana_number": "6", + "packets": 10, + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "ip": [ + "81.2.69.144" + ] + }, + "related": { + "ip": [ + "10.36.236.100", + "89.160.20.112" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 7158, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "locality": "external", + "packets": 10, + "port": 443 + } + }, + { + "@timestamp": "2020-04-16T23:22:51Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "locality": "external", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079067920&end=1587079668404&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.36.236.100%2689.160.20.112", + "type": [ + "connection" + ] + }, + "flow": { + "id": "HVg4SttTufc", + "locality": "external" + }, + "netflow": { + "destination_ipv4_address": "89.160.20.112", + "destination_transport_port": 443, + "egress_interface": 1, + "exporter": { + "address": "81.2.69.144:10000", + "source_id": 1, + "timestamp": "2020-04-16T23:22:51Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_milliseconds": "2020-04-16T23:22:48.404Z", + "flow_end_reason": 3, + "flow_start_milliseconds": "2020-04-16T23:22:47.92Z", + "ingress_interface": 1, + "octet_delta_count": 1538, + "packet_delta_count": 11, + "protocol_identifier": 6, + "source_ipv4_address": "10.36.236.100", + "source_transport_port": 49180, + "tcp_control_bits": 27, + "type": "netflow_flow" + }, + "network": { + "bytes": 1538, + "community_id": "1:Zyly7BCJ6D7luuRJJazRxZ/mFZM=", + "direction": "outbound", + "iana_number": "6", + "packets": 11, + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "ip": [ + "81.2.69.144" + ] + }, + "related": { + "ip": [ + "10.36.236.100", + "89.160.20.112" + ] + }, + "source": { + "bytes": 1538, + "ip": "10.36.236.100", + "locality": "internal", + "packets": 11, + "port": 49180 + } + }, + { + "@timestamp": "2018-04-15T03:30:00Z", + "destination": { + "ip": "0.0.0.0", + "locality": "internal", + "port": 135 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "GYmhjYyvaAI", + "locality": "internal" + }, + "netflow": { + "bgp_destination_as_number": 0, + "bgp_source_as_number": 0, + "destination_ipv4_address": "0.0.0.0", + "destination_ipv6_address": "2a02:cf40::2", + "destination_transport_port": 135, + "exporter": { + "address": "81.2.69.144:4444", + "source_id": 2875616939, + "timestamp": "2018-04-15T03:30:00Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_seconds": "2018-04-15T03:29:02Z", + "flow_start_seconds": "2018-04-15T03:28:44Z", + "procera_base_service": "IP protocol 58 (IPv6-ICMP)", + "procera_content_categories": "", + "procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED", + "procera_http_content_type": "", + "procera_http_file_length": 0, + "procera_http_location": "", + "procera_http_url": "", + "procera_incoming_octets": 86, + "procera_outgoing_octets": 78, + "procera_service": "IP protocol 58 (IPv6-ICMP)", + "procera_subscriber_identifier": "", + "procera_template_name": "IPFIX", + "protocol_identifier": 58, + "source_ipv4_address": "0.0.0.0", + "source_ipv6_address": "2a02:cf40::1", + "source_transport_port": 136, + "type": "netflow_flow" + }, + "network": { + "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=", + "direction": "internal", + "iana_number": "58", + "transport": "ipv6-icmp", + "type": [ + "ipv4", + "ipv6" + ] + }, + "observer": { + "ip": [ + "81.2.69.144" + ] + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "source": { + "ip": "0.0.0.0", + "locality": "internal", + "port": 136 + } + }, + { + "@timestamp": "2018-04-15T03:30:00Z", + "destination": { + "ip": "0.0.0.0", + "locality": "internal", + "port": 135 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "netflow_flow", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "GYmhjYyvaAI", + "locality": "internal" + }, + "netflow": { + "bgp_destination_as_number": 0, + "bgp_source_as_number": 0, + "destination_ipv6_address": "2a02:cf40::2", + "destination_transport_port": 135, + "exporter": { + "address": "81.2.69.144:4444", + "source_id": 2875616939, + "timestamp": "2018-04-15T03:30:00Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_seconds": "2018-04-15T03:29:02Z", + "flow_start_seconds": "2018-04-15T03:28:44Z", + "procera_base_service": "IP protocol 58 (IPv6-ICMP)", + "procera_content_categories": "", + "procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED", + "procera_http_content_type": "", + "procera_http_file_length": 0, + "procera_http_location": "", + "procera_http_url": "", + "procera_incoming_octets": 86, + "procera_outgoing_octets": 78, + "procera_service": "IP protocol 58 (IPv6-ICMP)", + "procera_subscriber_identifier": "", + "procera_template_name": "IPFIX", + "protocol_identifier": 58, + "source_ipv6_address": "2a02:cf40::1", + "source_transport_port": 136, + "type": "netflow_flow" + }, + "network": { + "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=", + "direction": "internal", + "iana_number": "58", + "transport": "ipv6-icmp", + "type": "ipv6" + }, + "observer": { + "ip": [ + "81.2.69.144" + ] + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "source": { + "ip": "0.0.0.0", + "locality": "internal", + "port": 136 + } + } + ] +} \ No newline at end of file diff --git a/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml b/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml new file mode 100644 index 00000000000..edd4b1d7b20 --- /dev/null +++ b/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml @@ -0,0 +1,10 @@ +service: netflow-log-netflow +service_notify_signal: SIGHUP +input: netflow +data_stream: + vars: + host: 0.0.0.0 + port: 2055 + endace_url: 'http://test.elastic.co' +numeric_keyword_fields: + - network.iana_number diff --git a/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs new file mode 100644 index 00000000000..3bc89ceaa79 --- /dev/null +++ b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs @@ -0,0 +1,44 @@ +protocols: [v1, v5, v6, v7, v8, v9, ipfix] +host: '{{host}}:{{port}}' +max_message_size: '{{max_message_size}}' +expiration_timeout: '{{expiration_timeout}}' +queue_size: {{queue_size}} +{{#if timeout}} +timeout: '{{timeout}}' +{{/if}} +{{#if read_buffer}} +read_buffer: '{{read_buffer}}' +{{/if}} +{{#if internal_networks}} +internal_networks: +{{#each internal_networks as |network|}} + - {{network}} +{{/each}} +{{/if}} +{{#if custom_definitions}} +custom_definitions: +{{#each custom_definitions as |def|}} +- '{{def}}' +{{/each}} +{{/if}} +{{#if detect_sequence_reset}} +detect_sequence_reset: {{detect_sequence_reset}} +{{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_fields: + target: "_conf" + fields: + endace_url: {{ endace_url }} + endace_datasources: {{ endace_datasources }} + endace_tools: {{ endace_tools }} + endace_lookback": {{ endace_lookback }} +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..a781774a3ee --- /dev/null +++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,141 @@ +--- +description: Pipeline for NetFlow + +processors: + - set: + field: ecs.version + value: '8.11.0' + tag: add_ecs_version + - convert: + field: network.iana_number + type: string + ignore_missing: true + ignore_failure: true + tag: convert_network_iana_number + - rename: + field: observer.ip + target_field: _tmp_.observer.ip + ignore_missing: true + tag: rename_observer_ip + - append: + field: observer.ip + value: '{{_tmp_.observer.ip}}' + if: ctx._tmp_?.observer?.ip != null + tag: append_observer_ip + - set: + field: event.category + value: + - network + - session + if: ctx.event?.category != null && ctx.event?.category == "network_session" + tag: set_event_category + - set: + field: network.type + value: ipv4 + if: ctx.netflow?.source_ipv4_address != null || ctx.netflow?.destination_ipv4_address != null + tag: set_network_type_ipv4 + - set: + field: network.type + value: ipv6 + if: (ctx.netflow?.source_ipv6_address != null || ctx.netflow?.destination_ipv6_address != null) && ctx.network?.type == null + tag: set_network_type_ipv6 + - append: + field: network.type + value: ipv6 + if: (ctx.netflow?.source_ipv6_address != null || ctx.netflow?.destination_ipv6_address != null) && ctx.network?.type == "ipv4" + tag: append_network_type_ipv6 + - set: + field: network.direction + value: inbound + if: ctx.source?.locality == "external" && ctx.destination?.locality == "internal" + tag: set_network_direction_inbound + - set: + field: network.direction + value: outbound + if: ctx.source?.locality == "internal" && ctx.destination?.locality == "external" + tag: set_network_direction_outbound + - set: + field: network.direction + value: internal + if: ctx.source?.locality == "internal" && ctx.destination?.locality == "internal" + tag: set_network_direction_internal + - set: + field: network.direction + value: external + if: ctx.source?.locality == "external" && ctx.destination?.locality == "external" + tag: set_network_direction_external + - set: + field: network.direction + value: unknown + if: ctx.network?.direction == null + tag: set_network_direction + # IP Geolocation Lookup + - geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + tag: geoip_source_lookup + - geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + tag: geoip_destination_lookup + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + tag: geoip_source_as_lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + tag: geoip_dest_as_lookup + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + tag: rename_source_as_field_asn + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + tag: rename_source_as_field_org + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + tag: rename_as_field_asn + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + tag: rename_as_field_org + - remove: + field: + - _tmp_ + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "endace-netflow" }}' + tag: pipeline_processor + if: (ctx.source?.ip != null || ctx.destination?.ip != null) && (ctx.source?.ip != '0.0.0.0' && ctx.destination?.ip != '0.0.0.0') + - remove: + field: "_conf" +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml new file mode 100644 index 00000000000..081b576785c --- /dev/null +++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml @@ -0,0 +1,77 @@ +--- +description: Endace Pivot Field. +processors: + - set: + description: "Set IP Conversation if both destination.ip and source.ip are present" + field: _conf.ip_conv + value: "ip_conv={{ source.ip }}%26{{ destination.ip }}" + if: (ctx.destination?.ip != null && ctx.destination.ip != '') && ( ctx.source?.ip != null && ctx.source.ip != '' ) + tag: endace conversation set + + - set: + description: "Set IP Conversation if only destination.ip is present" + field: _conf.ip_conv + value: "ip={{ destination.ip }}" + if: (ctx.destination?.ip != null && ctx.destination.ip != '') && (ctx.source?.ip == null || ctx.source?.ip == '') + tag: endace destination ip set + + - set: + description: "Set IP Conversation if only source.ip is present" + field: _conf.ip_conv + value: "ip={{ source.ip }}" + if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && (ctx.source?.ip != null && ctx.source.ip != '') + tag: endace source ip set + + - date: + description: "Convert Start time to Epoch" + field: netflow.flow_start_milliseconds + formats: ["ISO8601"] + target_field: _conf.event.start + output_format: epoch_millis + if: ctx.netflow?.flow_start_milliseconds != null && ctx.netflow.flow_start_milliseconds != '' + + - convert: + field: _conf.event.start + type: long + description: "Convert Start time to Long" + if: ctx._conf?.event?.start != null && ctx._conf.event.start != '' + + - date: + description: "Convert End time to Epoch" + field: netflow.flow_end_milliseconds + formats: ["ISO8601"] + target_field: _conf.event.end + output_format: epoch_millis + if: ctx.netflow?.flow_end_milliseconds != null && ctx.netflow.flow_end_milliseconds != '' + + - convert: + field: _conf.event.end + type: long + description: "Convert End time to Long" + if: ctx._conf?.event?.end != null && ctx._conf.event.end != '' + + - script: + source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000" + tag: "Calculate Timedelta" + description: "Calculate Timedelta" + if: ctx._conf?.endace_lookback != null && ctx._conf.endace_lookback != '' + + - script: + source: "ctx._conf.event.end = ctx._conf.event.end + ctx._conf.timedelta/2" + tag: "Calculate Endtime as Timestamp + half of Timedelta" + description: "Calculate Endtime + half of lookback" + if: (ctx._conf?.event?.end != null && ctx._conf.event.end != '') && (ctx._conf?.timedelta != null && ctx._conf.timedelta != '') + + - script: + source: "ctx._conf.event.start = ctx._conf.event.start - ctx._conf.timedelta/2" + tag: "Calculate Starttime as Timestamp - half of Timedelta" + description: "Calculate Endtime minus half of Timedelta" + if: (ctx._conf?.event?.start != null && ctx._conf.event.start != '') && (ctx._conf?.timedelta != null && ctx._conf.timedelta != '') + + - set: + field: event.reference + value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}" + ignore_empty_value: true + tag: endace reference url + if: (ctx.destination?.ip != null && ctx.destination.ip != '') || (ctx.source?.ip != null && ctx.source.ip != '') + description: "Create P2V URL" diff --git a/packages/endace/data_stream/log/fields/agent.yml b/packages/endace/data_stream/log/fields/agent.yml new file mode 100644 index 00000000000..58486db7990 --- /dev/null +++ b/packages/endace/data_stream/log/fields/agent.yml @@ -0,0 +1,71 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + external: ecs + - name: image.name + external: ecs + - name: labels + external: ecs + - name: name + external: ecs +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: os.kernel + external: ecs + - name: os.platform + external: ecs + - name: os.version + external: ecs + - name: type + external: ecs + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/endace/data_stream/log/fields/base-fields.yml b/packages/endace/data_stream/log/fields/base-fields.yml new file mode 100644 index 00000000000..c29343334e3 --- /dev/null +++ b/packages/endace/data_stream/log/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: netflow +- name: event.dataset + type: constant_keyword + description: Event dataset + value: endace.log diff --git a/packages/endace/data_stream/log/fields/ecs.yml b/packages/endace/data_stream/log/fields/ecs.yml new file mode 100644 index 00000000000..d53120fc686 --- /dev/null +++ b/packages/endace/data_stream/log/fields/ecs.yml @@ -0,0 +1,714 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: client.address +- external: ecs + name: client.as.organization.name +- external: ecs + name: client.bytes +- external: ecs + name: client.domain +- external: ecs + name: client.geo.city_name +- external: ecs + name: client.geo.continent_name +- external: ecs + name: client.geo.country_iso_code +- external: ecs + name: client.geo.country_name +- external: ecs + name: client.geo.location +- external: ecs + name: client.geo.name +- external: ecs + name: client.geo.region_iso_code +- external: ecs + name: client.geo.region_name +- external: ecs + name: client.ip +- external: ecs + name: client.mac +- external: ecs + name: client.nat.ip +- external: ecs + name: client.nat.port +- external: ecs + name: client.packets +- external: ecs + name: client.port +- external: ecs + name: client.registered_domain +- external: ecs + name: client.top_level_domain +- external: ecs + name: client.user.domain +- external: ecs + name: client.user.email +- external: ecs + name: client.user.full_name +- external: ecs + name: client.user.group.domain +- external: ecs + name: client.user.group.id +- external: ecs + name: client.user.group.name +- external: ecs + name: client.user.hash +- external: ecs + name: client.user.id +- external: ecs + name: client.user.name +- external: ecs + name: cloud.account.id +- external: ecs + name: cloud.availability_zone +- external: ecs + name: cloud.instance.id +- external: ecs + name: cloud.instance.name +- external: ecs + name: cloud.machine.type +- external: ecs + name: cloud.provider +- external: ecs + name: cloud.region +- external: ecs + name: container.image.tag +- external: ecs + name: container.runtime +- external: ecs + name: destination.address +- external: ecs + name: destination.as.number +- external: ecs + name: destination.as.organization.name +- external: ecs + name: destination.bytes +- external: ecs + name: destination.domain +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.geo.location +- external: ecs + name: destination.geo.name +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name +- external: ecs + name: destination.ip +- external: ecs + name: destination.mac +- external: ecs + name: destination.nat.ip +- external: ecs + name: destination.nat.port +- external: ecs + name: destination.packets +- external: ecs + name: destination.port +- external: ecs + name: destination.registered_domain +- external: ecs + name: destination.top_level_domain +- external: ecs + name: destination.user.domain +- external: ecs + name: destination.user.email +- external: ecs + name: destination.user.full_name +- external: ecs + name: destination.user.group.domain +- external: ecs + name: destination.user.group.id +- external: ecs + name: destination.user.group.name +- external: ecs + name: destination.user.hash +- external: ecs + name: destination.user.id +- external: ecs + name: destination.user.name +- external: ecs + name: dns.answers + type: group +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type +- external: ecs + name: dns.header_flags +- external: ecs + name: dns.id +- external: ecs + name: dns.op_code +- external: ecs + name: dns.question.class +- external: ecs + name: dns.question.name +- external: ecs + name: dns.question.registered_domain +- external: ecs + name: dns.question.subdomain +- external: ecs + name: dns.question.top_level_domain +- external: ecs + name: dns.question.type +- external: ecs + name: dns.resolved_ip +- external: ecs + name: dns.response_code +- external: ecs + name: dns.type +- external: ecs + name: ecs.version +- external: ecs + name: error.code +- external: ecs + name: error.id +- external: ecs + name: error.message +- external: ecs + name: error.stack_trace +- external: ecs + name: error.type +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.duration +- external: ecs + name: event.end +- external: ecs + name: event.hash +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.provider +- external: ecs + name: event.reference +- external: ecs + name: event.risk_score +- external: ecs + name: event.risk_score_norm +- external: ecs + name: event.sequence +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.timezone +- external: ecs + name: event.type +- external: ecs + name: file.accessed +- external: ecs + name: file.created +- external: ecs + name: file.ctime +- external: ecs + name: file.device +- external: ecs + name: file.directory +- external: ecs + name: file.extension +- external: ecs + name: file.gid +- external: ecs + name: file.group +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.hash.sha512 +- external: ecs + name: file.inode +- external: ecs + name: file.mode +- external: ecs + name: file.mtime +- external: ecs + name: file.name +- external: ecs + name: file.owner +- external: ecs + name: file.path +- external: ecs + name: file.size +- external: ecs + name: file.target_path +- external: ecs + name: file.type +- external: ecs + name: file.uid +- external: ecs + name: group.domain +- external: ecs + name: group.id +- external: ecs + name: group.name +- external: ecs + name: host.architecture +- external: ecs + name: host.geo.city_name +- external: ecs + name: host.geo.continent_name +- external: ecs + name: host.geo.country_iso_code +- external: ecs + name: host.geo.country_name +- external: ecs + name: host.geo.location +- external: ecs + name: host.geo.name +- external: ecs + name: host.geo.region_iso_code +- external: ecs + name: host.geo.region_name +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.full +- external: ecs + name: host.os.name +- external: ecs + name: host.uptime +- external: ecs + name: http.request.body.bytes +- external: ecs + name: http.request.body.content +- external: ecs + name: http.request.bytes +- external: ecs + name: http.request.method +- external: ecs + name: http.request.referrer +- external: ecs + name: http.response.body.bytes +- external: ecs + name: http.response.body.content +- external: ecs + name: http.response.bytes +- external: ecs + name: http.response.status_code +- external: ecs + name: http.version +- external: ecs + name: labels +- external: ecs + name: log.level +- external: ecs + name: log.logger +- external: ecs + name: log.origin.file.line +- external: ecs + name: log.origin.file.name +- external: ecs + name: log.origin.function +- external: ecs + name: log.syslog + type: group +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.facility.name +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.severity.code +- external: ecs + name: log.syslog.severity.name +- external: ecs + name: message +- external: ecs + name: network.application +- external: ecs + name: network.bytes +- external: ecs + name: network.community_id +- external: ecs + name: network.direction +- external: ecs + name: network.forwarded_ip +- external: ecs + name: network.iana_number +- external: ecs + name: network.name +- external: ecs + name: network.packets +- external: ecs + name: network.protocol +- external: ecs + name: network.transport +- external: ecs + name: network.type +- external: ecs + name: observer.geo.city_name +- external: ecs + name: observer.geo.continent_name +- external: ecs + name: observer.geo.country_iso_code +- external: ecs + name: observer.geo.country_name +- external: ecs + name: observer.geo.location +- external: ecs + name: observer.geo.name +- external: ecs + name: observer.geo.region_iso_code +- external: ecs + name: observer.geo.region_name +- external: ecs + name: observer.hostname +- external: ecs + name: observer.ip +- external: ecs + name: observer.mac +- external: ecs + name: observer.name +- external: ecs + name: observer.os.family +- external: ecs + name: observer.os.full +- external: ecs + name: observer.os.kernel +- external: ecs + name: observer.os.name +- external: ecs + name: observer.os.platform +- external: ecs + name: observer.os.version +- external: ecs + name: observer.product +- external: ecs + name: observer.serial_number +- external: ecs + name: observer.type +- external: ecs + name: observer.vendor +- external: ecs + name: observer.version +- external: ecs + name: organization.id +- external: ecs + name: organization.name +- external: ecs + name: package.architecture +- external: ecs + name: package.checksum +- external: ecs + name: package.description +- external: ecs + name: package.install_scope +- external: ecs + name: package.installed +- external: ecs + name: package.license +- external: ecs + name: package.name +- external: ecs + name: package.path +- external: ecs + name: package.size +- external: ecs + name: package.version +- external: ecs + name: process.args +- external: ecs + name: process.executable +- external: ecs + name: process.hash.md5 +- external: ecs + name: process.hash.sha1 +- external: ecs + name: process.hash.sha256 +- external: ecs + name: process.hash.sha512 +- external: ecs + name: process.name +- external: ecs + name: process.pgid +- external: ecs + name: process.pid +- external: ecs + name: process.parent.pid +- external: ecs + name: process.start +- external: ecs + name: process.thread.id +- external: ecs + name: process.thread.name +- external: ecs + name: process.title +- external: ecs + name: process.uptime +- external: ecs + name: process.working_directory +- external: ecs + name: related.ip +- external: ecs + name: server.address +- external: ecs + name: server.as.organization.name +- external: ecs + name: server.bytes +- external: ecs + name: server.domain +- external: ecs + name: server.geo.city_name +- external: ecs + name: server.geo.continent_name +- external: ecs + name: server.geo.country_iso_code +- external: ecs + name: server.geo.country_name +- external: ecs + name: server.geo.location +- external: ecs + name: server.geo.name +- external: ecs + name: server.geo.region_iso_code +- external: ecs + name: server.geo.region_name +- external: ecs + name: server.ip +- external: ecs + name: server.mac +- external: ecs + name: server.nat.ip +- external: ecs + name: server.nat.port +- external: ecs + name: server.packets +- external: ecs + name: server.port +- external: ecs + name: server.registered_domain +- external: ecs + name: server.top_level_domain +- external: ecs + name: server.user.domain +- external: ecs + name: server.user.email +- external: ecs + name: server.user.full_name +- external: ecs + name: server.user.group.domain +- external: ecs + name: server.user.group.id +- external: ecs + name: server.user.group.name +- external: ecs + name: server.user.hash +- external: ecs + name: server.user.id +- external: ecs + name: server.user.name +- external: ecs + name: service.ephemeral_id +- external: ecs + name: service.id +- external: ecs + name: service.name +- external: ecs + name: service.node.name +- external: ecs + name: service.state +- external: ecs + name: service.type +- external: ecs + name: service.version +- external: ecs + name: source.address +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name +- external: ecs + name: source.bytes +- external: ecs + name: source.domain +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- external: ecs + name: source.geo.location +- external: ecs + name: source.geo.name +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.ip +- external: ecs + name: source.mac +- external: ecs + name: source.nat.ip +- external: ecs + name: source.nat.port +- external: ecs + name: source.packets +- external: ecs + name: source.port +- external: ecs + name: source.registered_domain +- external: ecs + name: source.top_level_domain +- external: ecs + name: source.user.domain +- external: ecs + name: source.user.email +- external: ecs + name: source.user.full_name +- external: ecs + name: source.user.group.domain +- external: ecs + name: source.user.group.id +- external: ecs + name: source.user.group.name +- external: ecs + name: source.user.hash +- external: ecs + name: source.user.id +- external: ecs + name: source.user.name +- external: ecs + name: tags +- external: ecs + name: threat.framework +- external: ecs + name: threat.tactic.id +- external: ecs + name: threat.tactic.name +- external: ecs + name: threat.tactic.reference +- external: ecs + name: threat.technique.id +- external: ecs + name: threat.technique.name +- external: ecs + name: threat.technique.reference +- external: ecs + name: trace.id +- external: ecs + name: transaction.id +- external: ecs + name: url.domain +- external: ecs + name: url.extension +- external: ecs + name: url.fragment +- external: ecs + name: url.full +- external: ecs + name: url.original +- external: ecs + name: url.password +- external: ecs + name: url.path +- external: ecs + name: url.port +- external: ecs + name: url.query +- external: ecs + name: url.registered_domain +- external: ecs + name: url.scheme +- external: ecs + name: url.top_level_domain +- external: ecs + name: url.username +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: user.full_name +- external: ecs + name: user.group.domain +- external: ecs + name: user.group.id +- external: ecs + name: user.group.name +- external: ecs + name: user.hash +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.family +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.kernel +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.platform +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version diff --git a/packages/endace/data_stream/log/fields/package-fields.yml b/packages/endace/data_stream/log/fields/package-fields.yml new file mode 100644 index 00000000000..1915b6a75d0 --- /dev/null +++ b/packages/endace/data_stream/log/fields/package-fields.yml @@ -0,0 +1,2689 @@ +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: flow.locality + type: keyword + description: Identifies whether the flow involved public IP addresses or only private address. +- name: flow.id + type: keyword + description: Hash of source and destination IPs. +- name: destination.locality + type: keyword + description: Whether the destination IP is private or public. +- name: source.locality + type: keyword + description: Whether the source IP is private or public. +- name: netflow + type: group + description: > + Fields from NetFlow and IPFIX. + + fields: + - name: type + type: keyword + description: > + The type of NetFlow record described by this event. + + - name: exporter + type: group + description: > + Metadata related to the exporter device that generated this record. + + fields: + - name: address + type: keyword + description: > + Exporter's network address in IP:port format. + + - name: source_id + type: long + description: > + Observation domain ID to which this record belongs. + + - name: timestamp + type: date + description: > + Time and date of export. + + - name: uptime_millis + type: long + description: > + How long the exporter process has been running, in milliseconds. + + - name: version + type: integer + description: > + NetFlow version used. + + - name: absolute_error + type: double + - name: address_pool_high_threshold + type: long + - name: address_pool_low_threshold + type: long + - name: address_port_mapping_high_threshold + type: long + - name: address_port_mapping_low_threshold + type: long + - name: address_port_mapping_per_user_high_threshold + type: long + - name: afc_protocol + type: integer + - name: afc_protocol_name + type: keyword + - name: anonymization_flags + type: integer + - name: anonymization_technique + type: integer + - name: application_business-relevance + type: long + - name: application_category_name + type: keyword + - name: application_description + type: keyword + - name: application_group_name + type: keyword + - name: application_http_uri_statistics + type: short + - name: application_http_user-agent + type: short + - name: application_id + type: short + - name: application_name + type: keyword + - name: application_sub_category_name + type: keyword + - name: application_traffic-class + type: long + - name: art_client_network_time_maximum + type: long + - name: art_client_network_time_minimum + type: long + - name: art_client_network_time_sum + type: long + - name: art_clientpackets + type: long + - name: art_count_late_responses + type: long + - name: art_count_new_connections + type: long + - name: art_count_responses + type: long + - name: art_count_responses_histogram_bucket1 + type: long + - name: art_count_responses_histogram_bucket2 + type: long + - name: art_count_responses_histogram_bucket3 + type: long + - name: art_count_responses_histogram_bucket4 + type: long + - name: art_count_responses_histogram_bucket5 + type: long + - name: art_count_responses_histogram_bucket6 + type: long + - name: art_count_responses_histogram_bucket7 + type: long + - name: art_count_retransmissions + type: long + - name: art_count_transactions + type: long + - name: art_network_time_maximum + type: long + - name: art_network_time_minimum + type: long + - name: art_network_time_sum + type: long + - name: art_response_time_maximum + type: long + - name: art_response_time_minimum + type: long + - name: art_response_time_sum + type: long + - name: art_server_network_time_maximum + type: long + - name: art_server_network_time_minimum + type: long + - name: art_server_network_time_sum + type: long + - name: art_server_response_time_maximum + type: long + - name: art_server_response_time_minimum + type: long + - name: art_server_response_time_sum + type: long + - name: art_serverpackets + type: long + - name: art_total_response_time_maximum + type: long + - name: art_total_response_time_minimum + type: long + - name: art_total_response_time_sum + type: long + - name: art_total_transaction_time_maximum + type: long + - name: art_total_transaction_time_minimum + type: long + - name: art_total_transaction_time_sum + type: long + - name: assembled_fragment_count + type: long + - name: audit_counter + type: long + - name: average_interarrival_time + type: long + - name: bgp_destination_as_number + type: long + - name: bgp_next_adjacent_as_number + type: long + - name: bgp_next_hop_ipv4_address + type: ip + - name: bgp_next_hop_ipv6_address + type: ip + - name: bgp_prev_adjacent_as_number + type: long + - name: bgp_source_as_number + type: long + - name: bgp_validity_state + type: short + - name: biflow_direction + type: short + - name: bind_ipv4_address + type: ip + - name: bind_transport_port + type: integer + - name: class_id + type: long + - name: class_name + type: keyword + - name: classification_engine_id + type: short + - name: collection_time_milliseconds + type: date + - name: collector_certificate + type: short + - name: collector_ipv4_address + type: ip + - name: collector_ipv6_address + type: ip + - name: collector_transport_port + type: integer + - name: common_properties_id + type: long + - name: confidence_level + type: double + - name: conn_ipv4_address + type: ip + - name: conn_transport_port + type: integer + - name: connection_sum_duration_seconds + type: long + - name: connection_transaction_id + type: long + - name: conntrack_id + type: long + - name: data_byte_count + type: long + - name: data_link_frame_section + type: short + - name: data_link_frame_size + type: integer + - name: data_link_frame_type + type: integer + - name: data_records_reliability + type: boolean + - name: delta_flow_count + type: long + - name: destination_ipv4_address + type: ip + - name: destination_ipv4_prefix + type: ip + - name: destination_ipv4_prefix_length + type: short + - name: destination_ipv6_address + type: ip + - name: destination_ipv6_prefix + type: ip + - name: destination_ipv6_prefix_length + type: short + - name: destination_mac_address + type: keyword + - name: destination_transport_port + type: integer + - name: digest_hash_value + type: long + - name: distinct_count_of_destination_ip_address + type: long + - name: distinct_count_of_destination_ipv4_address + type: long + - name: distinct_count_of_destination_ipv6_address + type: long + - name: distinct_count_of_source_ip_address + type: long + - name: distinct_count_of_source_ipv4_address + type: long + - name: distinct_count_of_source_ipv6_address + type: long + - name: dns_authoritative + type: short + - name: dns_cname + type: keyword + - name: dns_id + type: integer + - name: dns_mx_exchange + type: keyword + - name: dns_mx_preference + type: integer + - name: dns_nsd_name + type: keyword + - name: dns_nx_domain + type: short + - name: dns_ptrd_name + type: keyword + - name: dns_qname + type: keyword + - name: dns_qr_type + type: integer + - name: dns_query_response + type: short + - name: dns_rr_section + type: short + - name: dns_soa_expire + type: long + - name: dns_soa_minimum + type: long + - name: dns_soa_refresh + type: long + - name: dns_soa_retry + type: long + - name: dns_soa_serial + type: long + - name: dns_soam_name + type: keyword + - name: dns_soar_name + type: keyword + - name: dns_srv_port + type: integer + - name: dns_srv_priority + type: integer + - name: dns_srv_target + type: integer + - name: dns_srv_weight + type: integer + - name: dns_ttl + type: long + - name: dns_txt_data + type: keyword + - name: dot1q_customer_dei + type: boolean + - name: dot1q_customer_destination_mac_address + type: keyword + - name: dot1q_customer_priority + type: short + - name: dot1q_customer_source_mac_address + type: keyword + - name: dot1q_customer_vlan_id + type: integer + - name: dot1q_dei + type: boolean + - name: dot1q_priority + type: short + - name: dot1q_service_instance_id + type: long + - name: dot1q_service_instance_priority + type: short + - name: dot1q_service_instance_tag + type: short + - name: dot1q_vlan_id + type: integer + - name: dropped_layer2_octet_delta_count + type: long + - name: dropped_layer2_octet_total_count + type: long + - name: dropped_octet_delta_count + type: long + - name: dropped_octet_total_count + type: long + - name: dropped_packet_delta_count + type: long + - name: dropped_packet_total_count + type: long + - name: dst_traffic_index + type: long + - name: egress_broadcast_packet_total_count + type: long + - name: egress_interface + type: long + - name: egress_interface_type + type: long + - name: egress_physical_interface + type: long + - name: egress_unicast_packet_total_count + type: long + - name: egress_vrfid + type: long + - name: encrypted_technology + type: keyword + - name: engine_id + type: short + - name: engine_type + type: short + - name: ethernet_header_length + type: short + - name: ethernet_payload_length + type: integer + - name: ethernet_total_length + type: integer + - name: ethernet_type + type: integer + - name: expired_fragment_count + type: long + - name: export_interface + type: long + - name: export_protocol_version + type: short + - name: export_sctp_stream_id + type: integer + - name: export_transport_protocol + type: short + - name: exported_flow_record_total_count + type: long + - name: exported_message_total_count + type: long + - name: exported_octet_total_count + type: long + - name: exporter_certificate + type: short + - name: exporter_ipv4_address + type: ip + - name: exporter_ipv6_address + type: ip + - name: exporter_transport_port + type: integer + - name: exporting_process_id + type: long + - name: external_address_realm + type: short + - name: firewall_event + type: short + - name: first_eight_non_empty_packet_directions + type: short + - name: first_non_empty_packet_size + type: integer + - name: first_packet_banner + type: keyword + - name: flags_and_sampler_id + type: long + - name: flow_active_timeout + type: integer + - name: flow_attributes + type: integer + - name: flow_direction + type: short + - name: flow_duration_microseconds + type: long + - name: flow_duration_milliseconds + type: long + - name: flow_end_delta_microseconds + type: long + - name: flow_end_microseconds + type: date + - name: flow_end_milliseconds + type: date + - name: flow_end_nanoseconds + type: date + - name: flow_end_reason + type: short + - name: flow_end_seconds + type: date + - name: flow_end_sys_up_time + type: long + - name: flow_id + type: long + - name: flow_idle_timeout + type: integer + - name: flow_key_indicator + type: long + - name: flow_label_ipv6 + type: long + - name: flow_sampling_time_interval + type: long + - name: flow_sampling_time_spacing + type: long + - name: flow_selected_flow_delta_count + type: long + - name: flow_selected_octet_delta_count + type: long + - name: flow_selected_packet_delta_count + type: long + - name: flow_selector_algorithm + type: integer + - name: flow_start_delta_microseconds + type: long + - name: flow_start_microseconds + type: date + - name: flow_start_milliseconds + type: date + - name: flow_start_nanoseconds + type: date + - name: flow_start_seconds + type: date + - name: flow_start_sys_up_time + type: long + - name: flow_table_flush_event_count + type: long + - name: flow_table_peak_count + type: long + - name: forwarding_status + type: short + - name: fragment_flags + type: short + - name: fragment_identification + type: long + - name: fragment_offset + type: integer + - name: fw_blackout_secs + type: long + - name: fw_configured_value + type: long + - name: fw_cts_src_sgt + type: long + - name: fw_event_level + type: long + - name: fw_event_level_id + type: long + - name: fw_ext_event + type: integer + - name: fw_ext_event_alt + type: long + - name: fw_ext_event_desc + type: keyword + - name: fw_half_open_count + type: long + - name: fw_half_open_high + type: long + - name: fw_half_open_rate + type: long + - name: fw_max_sessions + type: long + - name: fw_rule + type: keyword + - name: fw_summary_pkt_count + type: long + - name: fw_zone_pair_id + type: long + - name: fw_zone_pair_name + type: long + - name: global_address_mapping_high_threshold + type: long + - name: gre_key + type: long + - name: hash_digest_output + type: boolean + - name: hash_flow_domain + type: integer + - name: hash_initialiser_value + type: long + - name: hash_ip_payload_offset + type: long + - name: hash_ip_payload_size + type: long + - name: hash_output_range_max + type: long + - name: hash_output_range_min + type: long + - name: hash_selected_range_max + type: long + - name: hash_selected_range_min + type: long + - name: http_content_type + type: keyword + - name: http_message_version + type: keyword + - name: http_reason_phrase + type: keyword + - name: http_request_host + type: keyword + - name: http_request_method + type: keyword + - name: http_request_target + type: keyword + - name: http_status_code + type: integer + - name: http_user_agent + type: keyword + - name: icmp_code_ipv4 + type: short + - name: icmp_code_ipv6 + type: short + - name: icmp_type_code_ipv4 + type: integer + - name: icmp_type_code_ipv6 + type: integer + - name: icmp_type_ipv4 + type: short + - name: icmp_type_ipv6 + type: short + - name: igmp_type + type: short + - name: ignored_data_record_total_count + type: long + - name: ignored_layer2_frame_total_count + type: long + - name: ignored_layer2_octet_total_count + type: long + - name: ignored_octet_total_count + type: long + - name: ignored_packet_total_count + type: long + - name: information_element_data_type + type: short + - name: information_element_description + type: keyword + - name: information_element_id + type: integer + - name: information_element_index + type: integer + - name: information_element_name + type: keyword + - name: information_element_range_begin + type: long + - name: information_element_range_end + type: long + - name: information_element_semantics + type: short + - name: information_element_units + type: integer + - name: ingress_broadcast_packet_total_count + type: long + - name: ingress_interface + type: long + - name: ingress_interface_type + type: long + - name: ingress_multicast_packet_total_count + type: long + - name: ingress_physical_interface + type: long + - name: ingress_unicast_packet_total_count + type: long + - name: ingress_vrfid + type: long + - name: initial_tcp_flags + type: short + - name: initiator_octets + type: long + - name: initiator_packets + type: long + - name: interface_description + type: keyword + - name: interface_name + type: keyword + - name: intermediate_process_id + type: long + - name: internal_address_realm + type: short + - name: ip_class_of_service + type: short + - name: ip_diff_serv_code_point + type: short + - name: ip_header_length + type: short + - name: ip_header_packet_section + type: short + - name: ip_next_hop_ipv4_address + type: ip + - name: ip_next_hop_ipv6_address + type: ip + - name: ip_payload_length + type: long + - name: ip_payload_packet_section + type: short + - name: ip_precedence + type: short + - name: ip_sec_spi + type: long + - name: ip_total_length + type: long + - name: ip_ttl + type: short + - name: ip_version + type: short + - name: ipv4_ihl + type: short + - name: ipv4_options + type: long + - name: ipv4_router_sc + type: ip + - name: ipv6_extension_headers + type: long + - name: is_multicast + type: short + - name: ixia_browser_id + type: short + - name: ixia_browser_name + type: keyword + - name: ixia_device_id + type: short + - name: ixia_device_name + type: keyword + - name: ixia_dns_answer + type: keyword + - name: ixia_dns_classes + type: keyword + - name: ixia_dns_query + type: keyword + - name: ixia_dns_record_txt + type: keyword + - name: ixia_dst_as_name + type: keyword + - name: ixia_dst_city_name + type: keyword + - name: ixia_dst_country_code + type: keyword + - name: ixia_dst_country_name + type: keyword + - name: ixia_dst_latitude + type: float + - name: ixia_dst_longitude + type: float + - name: ixia_dst_region_code + type: keyword + - name: ixia_dst_region_node + type: keyword + - name: ixia_encrypt_cipher + type: keyword + - name: ixia_encrypt_key_length + type: integer + - name: ixia_encrypt_type + type: keyword + - name: ixia_http_host_name + type: keyword + - name: ixia_http_uri + type: keyword + - name: ixia_http_user_agent + type: keyword + - name: ixia_imsi_subscriber + type: keyword + - name: ixia_l7_app_id + type: long + - name: ixia_l7_app_name + type: keyword + - name: ixia_latency + type: long + - name: ixia_rev_octet_delta_count + type: long + - name: ixia_rev_packet_delta_count + type: long + - name: ixia_src_as_name + type: keyword + - name: ixia_src_city_name + type: keyword + - name: ixia_src_country_code + type: keyword + - name: ixia_src_country_name + type: keyword + - name: ixia_src_latitude + type: float + - name: ixia_src_longitude + type: float + - name: ixia_src_region_code + type: keyword + - name: ixia_src_region_name + type: keyword + - name: ixia_threat_ipv4 + type: ip + - name: ixia_threat_ipv6 + type: ip + - name: ixia_threat_type + type: keyword + - name: large_packet_count + type: long + - name: layer2_frame_delta_count + type: long + - name: layer2_frame_total_count + type: long + - name: layer2_octet_delta_count + type: long + - name: layer2_octet_delta_sum_of_squares + type: long + - name: layer2_octet_total_count + type: long + - name: layer2_octet_total_sum_of_squares + type: long + - name: layer2_segment_id + type: long + - name: layer2packet_section_data + type: short + - name: layer2packet_section_offset + type: integer + - name: layer2packet_section_size + type: integer + - name: line_card_id + type: long + - name: log_op + type: short + - name: lower_ci_limit + type: double + - name: mark + type: long + - name: max_bib_entries + type: long + - name: max_entries_per_user + type: long + - name: max_export_seconds + type: date + - name: max_flow_end_microseconds + type: date + - name: max_flow_end_milliseconds + type: date + - name: max_flow_end_nanoseconds + type: date + - name: max_flow_end_seconds + type: date + - name: max_fragments_pending_reassembly + type: long + - name: max_packet_size + type: integer + - name: max_session_entries + type: long + - name: max_subscribers + type: long + - name: maximum_ip_total_length + type: long + - name: maximum_layer2_total_length + type: long + - name: maximum_ttl + type: short + - name: mean_flow_rate + type: long + - name: mean_packet_rate + type: long + - name: message_md5_checksum + type: short + - name: message_scope + type: short + - name: metering_process_id + type: long + - name: metro_evc_id + type: keyword + - name: metro_evc_type + type: short + - name: mib_capture_time_semantics + type: short + - name: mib_context_engine_id + type: short + - name: mib_context_name + type: keyword + - name: mib_index_indicator + type: long + - name: mib_module_name + type: keyword + - name: mib_object_description + type: keyword + - name: mib_object_identifier + type: short + - name: mib_object_name + type: keyword + - name: mib_object_syntax + type: keyword + - name: mib_object_value_bits + type: short + - name: mib_object_value_counter + type: long + - name: mib_object_value_gauge + type: long + - name: mib_object_value_integer + type: integer + - name: mib_object_value_ip_address + type: ip + - name: mib_object_value_octet_string + type: short + - name: mib_object_value_oid + type: short + - name: mib_object_value_time_ticks + type: long + - name: mib_object_value_unsigned + type: long + - name: mib_sub_identifier + type: long + - name: min_export_seconds + type: date + - name: min_flow_start_microseconds + type: date + - name: min_flow_start_milliseconds + type: date + - name: min_flow_start_nanoseconds + type: date + - name: min_flow_start_seconds + type: date + - name: minimum_ip_total_length + type: long + - name: minimum_layer2_total_length + type: long + - name: minimum_ttl + type: short + - name: mobile_imsi + type: keyword + - name: mobile_msisdn + type: keyword + - name: monitoring_interval_end_milli_seconds + type: date + - name: monitoring_interval_start_milli_seconds + type: date + - name: mpls_label_stack_depth + type: long + - name: mpls_label_stack_length + type: long + - name: mpls_label_stack_section + type: short + - name: mpls_label_stack_section10 + type: short + - name: mpls_label_stack_section2 + type: short + - name: mpls_label_stack_section3 + type: short + - name: mpls_label_stack_section4 + type: short + - name: mpls_label_stack_section5 + type: short + - name: mpls_label_stack_section6 + type: short + - name: mpls_label_stack_section7 + type: short + - name: mpls_label_stack_section8 + type: short + - name: mpls_label_stack_section9 + type: short + - name: mpls_payload_length + type: long + - name: mpls_payload_packet_section + type: short + - name: mpls_top_label_exp + type: short + - name: mpls_top_label_ipv4_address + type: ip + - name: mpls_top_label_ipv6_address + type: ip + - name: mpls_top_label_prefix_length + type: short + - name: mpls_top_label_stack_section + type: short + - name: mpls_top_label_ttl + type: short + - name: mpls_top_label_type + type: short + - name: mpls_vpn_route_distinguisher + type: short + - name: mptcp_address_id + type: short + - name: mptcp_flags + type: short + - name: mptcp_initial_data_sequence_number + type: long + - name: mptcp_maximum_segment_size + type: integer + - name: mptcp_receiver_token + type: long + - name: multicast_replication_factor + type: long + - name: nat_event + type: short + - name: nat_inside_svcid + type: integer + - name: nat_instance_id + type: long + - name: nat_originating_address_realm + type: short + - name: nat_outside_svcid + type: integer + - name: nat_pool_id + type: long + - name: nat_pool_name + type: keyword + - name: nat_quota_exceeded_event + type: long + - name: nat_sub_string + type: keyword + - name: nat_threshold_event + type: long + - name: nat_type + type: short + - name: netscale_ica_client_version + type: keyword + - name: netscaler_aaa_username + type: keyword + - name: netscaler_app_name + type: keyword + - name: netscaler_app_name_app_id + type: long + - name: netscaler_app_name_incarnation_number + type: long + - name: netscaler_app_template_name + type: keyword + - name: netscaler_app_unit_name_app_id + type: long + - name: netscaler_application_startup_duration + type: long + - name: netscaler_application_startup_time + type: long + - name: netscaler_cache_redir_client_connection_core_id + type: long + - name: netscaler_cache_redir_client_connection_transaction_id + type: long + - name: netscaler_client_rtt + type: long + - name: netscaler_connection_chain_hop_count + type: long + - name: netscaler_connection_chain_id + type: short + - name: netscaler_connection_id + type: long + - name: netscaler_current_license_consumed + type: long + - name: netscaler_db_clt_host_name + type: keyword + - name: netscaler_db_database_name + type: keyword + - name: netscaler_db_login_flags + type: long + - name: netscaler_db_protocol_name + type: short + - name: netscaler_db_req_string + type: keyword + - name: netscaler_db_req_type + type: short + - name: netscaler_db_resp_length + type: long + - name: netscaler_db_resp_status + type: long + - name: netscaler_db_resp_status_string + type: keyword + - name: netscaler_db_user_name + type: keyword + - name: netscaler_flow_flags + type: long + - name: netscaler_http_client_interaction_end_time + type: keyword + - name: netscaler_http_client_interaction_start_time + type: keyword + - name: netscaler_http_client_render_end_time + type: keyword + - name: netscaler_http_client_render_start_time + type: keyword + - name: netscaler_http_content_type + type: keyword + - name: netscaler_http_domain_name + type: keyword + - name: netscaler_http_req_authorization + type: keyword + - name: netscaler_http_req_cookie + type: keyword + - name: netscaler_http_req_forw_fb + type: long + - name: netscaler_http_req_forw_lb + type: long + - name: netscaler_http_req_host + type: keyword + - name: netscaler_http_req_method + type: keyword + - name: netscaler_http_req_rcv_fb + type: long + - name: netscaler_http_req_rcv_lb + type: long + - name: netscaler_http_req_referer + type: keyword + - name: netscaler_http_req_url + type: keyword + - name: netscaler_http_req_user_agent + type: keyword + - name: netscaler_http_req_via + type: keyword + - name: netscaler_http_req_xforwarded_for + type: keyword + - name: netscaler_http_res_forw_fb + type: long + - name: netscaler_http_res_forw_lb + type: long + - name: netscaler_http_res_location + type: keyword + - name: netscaler_http_res_rcv_fb + type: long + - name: netscaler_http_res_rcv_lb + type: long + - name: netscaler_http_res_set_cookie + type: keyword + - name: netscaler_http_res_set_cookie2 + type: keyword + - name: netscaler_http_rsp_len + type: long + - name: netscaler_http_rsp_status + type: integer + - name: netscaler_ica_app_module_path + type: keyword + - name: netscaler_ica_app_process_id + type: long + - name: netscaler_ica_application_name + type: keyword + - name: netscaler_ica_application_termination_time + type: long + - name: netscaler_ica_application_termination_type + type: integer + - name: netscaler_ica_channel_id1 + type: long + - name: netscaler_ica_channel_id1_bytes + type: long + - name: netscaler_ica_channel_id2 + type: long + - name: netscaler_ica_channel_id2_bytes + type: long + - name: netscaler_ica_channel_id3 + type: long + - name: netscaler_ica_channel_id3_bytes + type: long + - name: netscaler_ica_channel_id4 + type: long + - name: netscaler_ica_channel_id4_bytes + type: long + - name: netscaler_ica_channel_id5 + type: long + - name: netscaler_ica_channel_id5_bytes + type: long + - name: netscaler_ica_client_host_name + type: keyword + - name: netscaler_ica_client_ip + type: ip + - name: netscaler_ica_client_launcher + type: integer + - name: netscaler_ica_client_side_rto_count + type: integer + - name: netscaler_ica_client_side_window_size + type: integer + - name: netscaler_ica_client_type + type: integer + - name: netscaler_ica_clientside_delay + type: long + - name: netscaler_ica_clientside_jitter + type: long + - name: netscaler_ica_clientside_packets_retransmit + type: integer + - name: netscaler_ica_clientside_rtt + type: long + - name: netscaler_ica_clientside_rx_bytes + type: long + - name: netscaler_ica_clientside_srtt + type: long + - name: netscaler_ica_clientside_tx_bytes + type: long + - name: netscaler_ica_connection_priority + type: integer + - name: netscaler_ica_device_serial_no + type: long + - name: netscaler_ica_domain_name + type: keyword + - name: netscaler_ica_flags + type: long + - name: netscaler_ica_host_delay + type: long + - name: netscaler_ica_l7_client_latency + type: long + - name: netscaler_ica_l7_server_latency + type: long + - name: netscaler_ica_launch_mechanism + type: integer + - name: netscaler_ica_network_update_end_time + type: long + - name: netscaler_ica_network_update_start_time + type: long + - name: netscaler_ica_rtt + type: long + - name: netscaler_ica_server_name + type: keyword + - name: netscaler_ica_server_side_rto_count + type: integer + - name: netscaler_ica_server_side_window_size + type: integer + - name: netscaler_ica_serverside_delay + type: long + - name: netscaler_ica_serverside_jitter + type: long + - name: netscaler_ica_serverside_packets_retransmit + type: integer + - name: netscaler_ica_serverside_rtt + type: long + - name: netscaler_ica_serverside_srtt + type: long + - name: netscaler_ica_session_end_time + type: long + - name: netscaler_ica_session_guid + type: short + - name: netscaler_ica_session_reconnects + type: short + - name: netscaler_ica_session_setup_time + type: long + - name: netscaler_ica_session_update_begin_sec + type: long + - name: netscaler_ica_session_update_end_sec + type: long + - name: netscaler_ica_username + type: keyword + - name: netscaler_license_type + type: short + - name: netscaler_main_page_core_id + type: long + - name: netscaler_main_page_id + type: long + - name: netscaler_max_license_count + type: long + - name: netscaler_msi_client_cookie + type: short + - name: netscaler_round_trip_time + type: long + - name: netscaler_server_ttfb + type: long + - name: netscaler_server_ttlb + type: long + - name: netscaler_syslog_message + type: keyword + - name: netscaler_syslog_priority + type: short + - name: netscaler_syslog_timestamp + type: long + - name: netscaler_transaction_id + type: long + - name: netscaler_unknown270 + type: long + - name: netscaler_unknown271 + type: long + - name: netscaler_unknown272 + type: long + - name: netscaler_unknown273 + type: long + - name: netscaler_unknown274 + type: long + - name: netscaler_unknown275 + type: long + - name: netscaler_unknown276 + type: long + - name: netscaler_unknown277 + type: long + - name: netscaler_unknown278 + type: long + - name: netscaler_unknown279 + type: long + - name: netscaler_unknown280 + type: long + - name: netscaler_unknown281 + type: long + - name: netscaler_unknown282 + type: long + - name: netscaler_unknown283 + type: long + - name: netscaler_unknown284 + type: long + - name: netscaler_unknown285 + type: long + - name: netscaler_unknown286 + type: long + - name: netscaler_unknown287 + type: long + - name: netscaler_unknown288 + type: long + - name: netscaler_unknown289 + type: long + - name: netscaler_unknown290 + type: long + - name: netscaler_unknown291 + type: long + - name: netscaler_unknown292 + type: long + - name: netscaler_unknown293 + type: long + - name: netscaler_unknown294 + type: long + - name: netscaler_unknown295 + type: long + - name: netscaler_unknown296 + type: long + - name: netscaler_unknown297 + type: long + - name: netscaler_unknown298 + type: long + - name: netscaler_unknown299 + type: long + - name: netscaler_unknown300 + type: long + - name: netscaler_unknown301 + type: long + - name: netscaler_unknown302 + type: long + - name: netscaler_unknown303 + type: long + - name: netscaler_unknown304 + type: long + - name: netscaler_unknown305 + type: long + - name: netscaler_unknown306 + type: long + - name: netscaler_unknown307 + type: long + - name: netscaler_unknown308 + type: long + - name: netscaler_unknown309 + type: long + - name: netscaler_unknown310 + type: long + - name: netscaler_unknown311 + type: long + - name: netscaler_unknown312 + type: long + - name: netscaler_unknown313 + type: long + - name: netscaler_unknown314 + type: long + - name: netscaler_unknown315 + type: long + - name: netscaler_unknown316 + type: keyword + - name: netscaler_unknown317 + type: long + - name: netscaler_unknown318 + type: long + - name: netscaler_unknown319 + type: keyword + - name: netscaler_unknown320 + type: integer + - name: netscaler_unknown321 + type: long + - name: netscaler_unknown322 + type: long + - name: netscaler_unknown323 + type: integer + - name: netscaler_unknown324 + type: integer + - name: netscaler_unknown325 + type: integer + - name: netscaler_unknown326 + type: integer + - name: netscaler_unknown327 + type: long + - name: netscaler_unknown328 + type: integer + - name: netscaler_unknown329 + type: integer + - name: netscaler_unknown330 + type: integer + - name: netscaler_unknown331 + type: integer + - name: netscaler_unknown332 + type: long + - name: netscaler_unknown333 + type: keyword + - name: netscaler_unknown334 + type: keyword + - name: netscaler_unknown335 + type: long + - name: netscaler_unknown336 + type: long + - name: netscaler_unknown337 + type: long + - name: netscaler_unknown338 + type: long + - name: netscaler_unknown339 + type: long + - name: netscaler_unknown340 + type: long + - name: netscaler_unknown341 + type: long + - name: netscaler_unknown342 + type: long + - name: netscaler_unknown343 + type: long + - name: netscaler_unknown344 + type: long + - name: netscaler_unknown345 + type: long + - name: netscaler_unknown346 + type: long + - name: netscaler_unknown347 + type: long + - name: netscaler_unknown348 + type: integer + - name: netscaler_unknown349 + type: keyword + - name: netscaler_unknown350 + type: keyword + - name: netscaler_unknown351 + type: keyword + - name: netscaler_unknown352 + type: integer + - name: netscaler_unknown353 + type: long + - name: netscaler_unknown354 + type: long + - name: netscaler_unknown355 + type: long + - name: netscaler_unknown356 + type: long + - name: netscaler_unknown357 + type: long + - name: netscaler_unknown363 + type: short + - name: netscaler_unknown383 + type: short + - name: netscaler_unknown391 + type: long + - name: netscaler_unknown398 + type: long + - name: netscaler_unknown404 + type: long + - name: netscaler_unknown405 + type: long + - name: netscaler_unknown427 + type: long + - name: netscaler_unknown429 + type: short + - name: netscaler_unknown432 + type: short + - name: netscaler_unknown433 + type: short + - name: netscaler_unknown453 + type: long + - name: netscaler_unknown465 + type: long + - name: new_connection_delta_count + type: long + - name: next_header_ipv6 + type: short + - name: non_empty_packet_count + type: long + - name: not_sent_flow_total_count + type: long + - name: not_sent_layer2_octet_total_count + type: long + - name: not_sent_octet_total_count + type: long + - name: not_sent_packet_total_count + type: long + - name: observation_domain_id + type: long + - name: observation_domain_name + type: keyword + - name: observation_point_id + type: long + - name: observation_point_type + type: short + - name: observation_time_microseconds + type: date + - name: observation_time_milliseconds + type: date + - name: observation_time_nanoseconds + type: date + - name: observation_time_seconds + type: date + - name: observed_flow_total_count + type: long + - name: octet_delta_count + type: long + - name: octet_delta_sum_of_squares + type: long + - name: octet_total_count + type: long + - name: octet_total_sum_of_squares + type: long + - name: opaque_octets + type: short + - name: original_exporter_ipv4_address + type: ip + - name: original_exporter_ipv6_address + type: ip + - name: original_flows_completed + type: long + - name: original_flows_initiated + type: long + - name: original_flows_present + type: long + - name: original_observation_domain_id + type: long + - name: os_finger_print + type: keyword + - name: os_name + type: keyword + - name: os_version + type: keyword + - name: p2p_technology + type: keyword + - name: packet_delta_count + type: long + - name: packet_total_count + type: long + - name: padding_octets + type: short + - name: payload + type: keyword + - name: payload_entropy + type: short + - name: payload_length_ipv6 + type: integer + - name: policy_qos_classification_hierarchy + type: long + - name: policy_qos_queue_index + type: long + - name: policy_qos_queuedrops + type: long + - name: policy_qos_queueindex + type: long + - name: port_id + type: long + - name: port_range_end + type: integer + - name: port_range_num_ports + type: integer + - name: port_range_start + type: integer + - name: port_range_step_size + type: integer + - name: post_destination_mac_address + type: keyword + - name: post_dot1q_customer_vlan_id + type: integer + - name: post_dot1q_vlan_id + type: integer + - name: post_ip_class_of_service + type: short + - name: post_ip_diff_serv_code_point + type: short + - name: post_ip_precedence + type: short + - name: post_layer2_octet_delta_count + type: long + - name: post_layer2_octet_total_count + type: long + - name: post_mcast_layer2_octet_delta_count + type: long + - name: post_mcast_layer2_octet_total_count + type: long + - name: post_mcast_octet_delta_count + type: long + - name: post_mcast_octet_total_count + type: long + - name: post_mcast_packet_delta_count + type: long + - name: post_mcast_packet_total_count + type: long + - name: post_mpls_top_label_exp + type: short + - name: post_napt_destination_transport_port + type: integer + - name: post_napt_source_transport_port + type: integer + - name: post_nat_destination_ipv4_address + type: ip + - name: post_nat_destination_ipv6_address + type: ip + - name: post_nat_source_ipv4_address + type: ip + - name: post_nat_source_ipv6_address + type: ip + - name: post_octet_delta_count + type: long + - name: post_octet_total_count + type: long + - name: post_packet_delta_count + type: long + - name: post_packet_total_count + type: long + - name: post_source_mac_address + type: keyword + - name: post_vlan_id + type: integer + - name: private_enterprise_number + type: long + - name: procera_apn + type: keyword + - name: procera_base_service + type: keyword + - name: procera_content_categories + type: keyword + - name: procera_device_id + type: long + - name: procera_external_rtt + type: integer + - name: procera_flow_behavior + type: keyword + - name: procera_ggsn + type: keyword + - name: procera_http_content_type + type: keyword + - name: procera_http_file_length + type: long + - name: procera_http_language + type: keyword + - name: procera_http_location + type: keyword + - name: procera_http_referer + type: keyword + - name: procera_http_request_method + type: keyword + - name: procera_http_request_version + type: keyword + - name: procera_http_response_status + type: integer + - name: procera_http_url + type: keyword + - name: procera_http_user_agent + type: keyword + - name: procera_imsi + type: long + - name: procera_incoming_octets + type: long + - name: procera_incoming_packets + type: long + - name: procera_incoming_shaping_drops + type: long + - name: procera_incoming_shaping_latency + type: integer + - name: procera_internal_rtt + type: integer + - name: procera_local_ipv4_host + type: ip + - name: procera_local_ipv6_host + type: ip + - name: procera_msisdn + type: long + - name: procera_outgoing_octets + type: long + - name: procera_outgoing_packets + type: long + - name: procera_outgoing_shaping_drops + type: long + - name: procera_outgoing_shaping_latency + type: integer + - name: procera_property + type: keyword + - name: procera_qoe_incoming_external + type: float + - name: procera_qoe_incoming_internal + type: float + - name: procera_qoe_outgoing_external + type: float + - name: procera_qoe_outgoing_internal + type: float + - name: procera_rat + type: keyword + - name: procera_remote_ipv4_host + type: ip + - name: procera_remote_ipv6_host + type: ip + - name: procera_rnc + type: integer + - name: procera_server_hostname + type: keyword + - name: procera_service + type: keyword + - name: procera_sgsn + type: keyword + - name: procera_subscriber_identifier + type: keyword + - name: procera_template_name + type: keyword + - name: procera_user_location_information + type: keyword + - name: protocol_identifier + type: short + - name: pseudo_wire_control_word + type: long + - name: pseudo_wire_destination_ipv4_address + type: ip + - name: pseudo_wire_id + type: long + - name: pseudo_wire_type + type: integer + - name: reason + type: long + - name: reason_text + type: keyword + - name: relative_error + type: double + - name: responder_octets + type: long + - name: responder_packets + type: long + - name: reverse_absolute_error + type: double + - name: reverse_anonymization_flags + type: integer + - name: reverse_anonymization_technique + type: integer + - name: reverse_application_category_name + type: keyword + - name: reverse_application_description + type: keyword + - name: reverse_application_group_name + type: keyword + - name: reverse_application_id + type: keyword + - name: reverse_application_name + type: keyword + - name: reverse_application_sub_category_name + type: keyword + - name: reverse_average_interarrival_time + type: long + - name: reverse_bgp_destination_as_number + type: long + - name: reverse_bgp_next_adjacent_as_number + type: long + - name: reverse_bgp_next_hop_ipv4_address + type: ip + - name: reverse_bgp_next_hop_ipv6_address + type: ip + - name: reverse_bgp_prev_adjacent_as_number + type: long + - name: reverse_bgp_source_as_number + type: long + - name: reverse_bgp_validity_state + type: short + - name: reverse_class_id + type: short + - name: reverse_class_name + type: keyword + - name: reverse_classification_engine_id + type: short + - name: reverse_collection_time_milliseconds + type: long + - name: reverse_collector_certificate + type: keyword + - name: reverse_confidence_level + type: double + - name: reverse_connection_sum_duration_seconds + type: long + - name: reverse_connection_transaction_id + type: long + - name: reverse_data_byte_count + type: long + - name: reverse_data_link_frame_section + type: keyword + - name: reverse_data_link_frame_size + type: integer + - name: reverse_data_link_frame_type + type: integer + - name: reverse_data_records_reliability + type: short + - name: reverse_delta_flow_count + type: long + - name: reverse_destination_ipv4_address + type: ip + - name: reverse_destination_ipv4_prefix + type: ip + - name: reverse_destination_ipv4_prefix_length + type: short + - name: reverse_destination_ipv6_address + type: ip + - name: reverse_destination_ipv6_prefix + type: ip + - name: reverse_destination_ipv6_prefix_length + type: short + - name: reverse_destination_mac_address + type: keyword + - name: reverse_destination_transport_port + type: integer + - name: reverse_digest_hash_value + type: long + - name: reverse_distinct_count_of_destination_ip_address + type: long + - name: reverse_distinct_count_of_destination_ipv4_address + type: long + - name: reverse_distinct_count_of_destination_ipv6_address + type: long + - name: reverse_distinct_count_of_source_ip_address + type: long + - name: reverse_distinct_count_of_source_ipv4_address + type: long + - name: reverse_distinct_count_of_source_ipv6_address + type: long + - name: reverse_dot1q_customer_dei + type: short + - name: reverse_dot1q_customer_destination_mac_address + type: keyword + - name: reverse_dot1q_customer_priority + type: short + - name: reverse_dot1q_customer_source_mac_address + type: keyword + - name: reverse_dot1q_customer_vlan_id + type: integer + - name: reverse_dot1q_dei + type: short + - name: reverse_dot1q_priority + type: short + - name: reverse_dot1q_service_instance_id + type: long + - name: reverse_dot1q_service_instance_priority + type: short + - name: reverse_dot1q_service_instance_tag + type: keyword + - name: reverse_dot1q_vlan_id + type: integer + - name: reverse_dropped_layer2_octet_delta_count + type: long + - name: reverse_dropped_layer2_octet_total_count + type: long + - name: reverse_dropped_octet_delta_count + type: long + - name: reverse_dropped_octet_total_count + type: long + - name: reverse_dropped_packet_delta_count + type: long + - name: reverse_dropped_packet_total_count + type: long + - name: reverse_dst_traffic_index + type: long + - name: reverse_egress_broadcast_packet_total_count + type: long + - name: reverse_egress_interface + type: long + - name: reverse_egress_interface_type + type: long + - name: reverse_egress_physical_interface + type: long + - name: reverse_egress_unicast_packet_total_count + type: long + - name: reverse_egress_vrfid + type: long + - name: reverse_encrypted_technology + type: keyword + - name: reverse_engine_id + type: short + - name: reverse_engine_type + type: short + - name: reverse_ethernet_header_length + type: short + - name: reverse_ethernet_payload_length + type: integer + - name: reverse_ethernet_total_length + type: integer + - name: reverse_ethernet_type + type: integer + - name: reverse_export_sctp_stream_id + type: integer + - name: reverse_exporter_certificate + type: keyword + - name: reverse_exporting_process_id + type: long + - name: reverse_firewall_event + type: short + - name: reverse_first_non_empty_packet_size + type: integer + - name: reverse_first_packet_banner + type: keyword + - name: reverse_flags_and_sampler_id + type: long + - name: reverse_flow_active_timeout + type: integer + - name: reverse_flow_attributes + type: integer + - name: reverse_flow_delta_milliseconds + type: long + - name: reverse_flow_direction + type: short + - name: reverse_flow_duration_microseconds + type: long + - name: reverse_flow_duration_milliseconds + type: long + - name: reverse_flow_end_delta_microseconds + type: long + - name: reverse_flow_end_microseconds + type: long + - name: reverse_flow_end_milliseconds + type: long + - name: reverse_flow_end_nanoseconds + type: long + - name: reverse_flow_end_reason + type: short + - name: reverse_flow_end_seconds + type: long + - name: reverse_flow_end_sys_up_time + type: long + - name: reverse_flow_idle_timeout + type: integer + - name: reverse_flow_label_ipv6 + type: long + - name: reverse_flow_sampling_time_interval + type: long + - name: reverse_flow_sampling_time_spacing + type: long + - name: reverse_flow_selected_flow_delta_count + type: long + - name: reverse_flow_selected_octet_delta_count + type: long + - name: reverse_flow_selected_packet_delta_count + type: long + - name: reverse_flow_selector_algorithm + type: integer + - name: reverse_flow_start_delta_microseconds + type: long + - name: reverse_flow_start_microseconds + type: long + - name: reverse_flow_start_milliseconds + type: long + - name: reverse_flow_start_nanoseconds + type: long + - name: reverse_flow_start_seconds + type: long + - name: reverse_flow_start_sys_up_time + type: long + - name: reverse_forwarding_status + type: long + - name: reverse_fragment_flags + type: short + - name: reverse_fragment_identification + type: long + - name: reverse_fragment_offset + type: integer + - name: reverse_gre_key + type: long + - name: reverse_hash_digest_output + type: short + - name: reverse_hash_flow_domain + type: integer + - name: reverse_hash_initialiser_value + type: long + - name: reverse_hash_ip_payload_offset + type: long + - name: reverse_hash_ip_payload_size + type: long + - name: reverse_hash_output_range_max + type: long + - name: reverse_hash_output_range_min + type: long + - name: reverse_hash_selected_range_max + type: long + - name: reverse_hash_selected_range_min + type: long + - name: reverse_icmp_code_ipv4 + type: short + - name: reverse_icmp_code_ipv6 + type: short + - name: reverse_icmp_type_code_ipv4 + type: integer + - name: reverse_icmp_type_code_ipv6 + type: integer + - name: reverse_icmp_type_ipv4 + type: short + - name: reverse_icmp_type_ipv6 + type: short + - name: reverse_igmp_type + type: short + - name: reverse_ignored_data_record_total_count + type: long + - name: reverse_ignored_layer2_frame_total_count + type: long + - name: reverse_ignored_layer2_octet_total_count + type: long + - name: reverse_information_element_data_type + type: short + - name: reverse_information_element_description + type: keyword + - name: reverse_information_element_id + type: integer + - name: reverse_information_element_index + type: integer + - name: reverse_information_element_name + type: keyword + - name: reverse_information_element_range_begin + type: long + - name: reverse_information_element_range_end + type: long + - name: reverse_information_element_semantics + type: short + - name: reverse_information_element_units + type: integer + - name: reverse_ingress_broadcast_packet_total_count + type: long + - name: reverse_ingress_interface + type: long + - name: reverse_ingress_interface_type + type: long + - name: reverse_ingress_multicast_packet_total_count + type: long + - name: reverse_ingress_physical_interface + type: long + - name: reverse_ingress_unicast_packet_total_count + type: long + - name: reverse_ingress_vrfid + type: long + - name: reverse_initial_tcp_flags + type: short + - name: reverse_initiator_octets + type: long + - name: reverse_initiator_packets + type: long + - name: reverse_interface_description + type: keyword + - name: reverse_interface_name + type: keyword + - name: reverse_intermediate_process_id + type: long + - name: reverse_ip_class_of_service + type: short + - name: reverse_ip_diff_serv_code_point + type: short + - name: reverse_ip_header_length + type: short + - name: reverse_ip_header_packet_section + type: keyword + - name: reverse_ip_next_hop_ipv4_address + type: ip + - name: reverse_ip_next_hop_ipv6_address + type: ip + - name: reverse_ip_payload_length + type: long + - name: reverse_ip_payload_packet_section + type: keyword + - name: reverse_ip_precedence + type: short + - name: reverse_ip_sec_spi + type: long + - name: reverse_ip_total_length + type: long + - name: reverse_ip_ttl + type: short + - name: reverse_ip_version + type: short + - name: reverse_ipv4_ihl + type: short + - name: reverse_ipv4_options + type: long + - name: reverse_ipv4_router_sc + type: ip + - name: reverse_ipv6_extension_headers + type: long + - name: reverse_is_multicast + type: short + - name: reverse_large_packet_count + type: long + - name: reverse_layer2_frame_delta_count + type: long + - name: reverse_layer2_frame_total_count + type: long + - name: reverse_layer2_octet_delta_count + type: long + - name: reverse_layer2_octet_delta_sum_of_squares + type: long + - name: reverse_layer2_octet_total_count + type: long + - name: reverse_layer2_octet_total_sum_of_squares + type: long + - name: reverse_layer2_segment_id + type: long + - name: reverse_layer2packet_section_data + type: keyword + - name: reverse_layer2packet_section_offset + type: integer + - name: reverse_layer2packet_section_size + type: integer + - name: reverse_line_card_id + type: long + - name: reverse_lower_ci_limit + type: double + - name: reverse_max_export_seconds + type: long + - name: reverse_max_flow_end_microseconds + type: long + - name: reverse_max_flow_end_milliseconds + type: long + - name: reverse_max_flow_end_nanoseconds + type: long + - name: reverse_max_flow_end_seconds + type: long + - name: reverse_max_packet_size + type: integer + - name: reverse_maximum_ip_total_length + type: long + - name: reverse_maximum_layer2_total_length + type: long + - name: reverse_maximum_ttl + type: short + - name: reverse_message_md5_checksum + type: keyword + - name: reverse_message_scope + type: short + - name: reverse_metering_process_id + type: long + - name: reverse_metro_evc_id + type: keyword + - name: reverse_metro_evc_type + type: short + - name: reverse_min_export_seconds + type: long + - name: reverse_min_flow_start_microseconds + type: long + - name: reverse_min_flow_start_milliseconds + type: long + - name: reverse_min_flow_start_nanoseconds + type: long + - name: reverse_min_flow_start_seconds + type: long + - name: reverse_minimum_ip_total_length + type: long + - name: reverse_minimum_layer2_total_length + type: long + - name: reverse_minimum_ttl + type: short + - name: reverse_monitoring_interval_end_milli_seconds + type: long + - name: reverse_monitoring_interval_start_milli_seconds + type: long + - name: reverse_mpls_label_stack_depth + type: long + - name: reverse_mpls_label_stack_length + type: long + - name: reverse_mpls_label_stack_section + type: keyword + - name: reverse_mpls_label_stack_section10 + type: keyword + - name: reverse_mpls_label_stack_section2 + type: keyword + - name: reverse_mpls_label_stack_section3 + type: keyword + - name: reverse_mpls_label_stack_section4 + type: keyword + - name: reverse_mpls_label_stack_section5 + type: keyword + - name: reverse_mpls_label_stack_section6 + type: keyword + - name: reverse_mpls_label_stack_section7 + type: keyword + - name: reverse_mpls_label_stack_section8 + type: keyword + - name: reverse_mpls_label_stack_section9 + type: keyword + - name: reverse_mpls_payload_length + type: long + - name: reverse_mpls_payload_packet_section + type: keyword + - name: reverse_mpls_top_label_exp + type: short + - name: reverse_mpls_top_label_ipv4_address + type: ip + - name: reverse_mpls_top_label_ipv6_address + type: ip + - name: reverse_mpls_top_label_prefix_length + type: short + - name: reverse_mpls_top_label_stack_section + type: keyword + - name: reverse_mpls_top_label_ttl + type: short + - name: reverse_mpls_top_label_type + type: short + - name: reverse_mpls_vpn_route_distinguisher + type: keyword + - name: reverse_multicast_replication_factor + type: long + - name: reverse_nat_event + type: short + - name: reverse_nat_originating_address_realm + type: short + - name: reverse_nat_pool_id + type: long + - name: reverse_nat_pool_name + type: keyword + - name: reverse_nat_type + type: short + - name: reverse_new_connection_delta_count + type: long + - name: reverse_next_header_ipv6 + type: short + - name: reverse_non_empty_packet_count + type: long + - name: reverse_not_sent_layer2_octet_total_count + type: long + - name: reverse_observation_domain_name + type: keyword + - name: reverse_observation_point_id + type: long + - name: reverse_observation_point_type + type: short + - name: reverse_observation_time_microseconds + type: long + - name: reverse_observation_time_milliseconds + type: long + - name: reverse_observation_time_nanoseconds + type: long + - name: reverse_observation_time_seconds + type: long + - name: reverse_octet_delta_count + type: long + - name: reverse_octet_delta_sum_of_squares + type: long + - name: reverse_octet_total_count + type: long + - name: reverse_octet_total_sum_of_squares + type: long + - name: reverse_opaque_octets + type: keyword + - name: reverse_original_exporter_ipv4_address + type: ip + - name: reverse_original_exporter_ipv6_address + type: ip + - name: reverse_original_flows_completed + type: long + - name: reverse_original_flows_initiated + type: long + - name: reverse_original_flows_present + type: long + - name: reverse_original_observation_domain_id + type: long + - name: reverse_os_finger_print + type: keyword + - name: reverse_os_name + type: keyword + - name: reverse_os_version + type: keyword + - name: reverse_p2p_technology + type: keyword + - name: reverse_packet_delta_count + type: long + - name: reverse_packet_total_count + type: long + - name: reverse_payload + type: keyword + - name: reverse_payload_entropy + type: short + - name: reverse_payload_length_ipv6 + type: integer + - name: reverse_port_id + type: long + - name: reverse_port_range_end + type: integer + - name: reverse_port_range_num_ports + type: integer + - name: reverse_port_range_start + type: integer + - name: reverse_port_range_step_size + type: integer + - name: reverse_post_destination_mac_address + type: keyword + - name: reverse_post_dot1q_customer_vlan_id + type: integer + - name: reverse_post_dot1q_vlan_id + type: integer + - name: reverse_post_ip_class_of_service + type: short + - name: reverse_post_ip_diff_serv_code_point + type: short + - name: reverse_post_ip_precedence + type: short + - name: reverse_post_layer2_octet_delta_count + type: long + - name: reverse_post_layer2_octet_total_count + type: long + - name: reverse_post_mcast_layer2_octet_delta_count + type: long + - name: reverse_post_mcast_layer2_octet_total_count + type: long + - name: reverse_post_mcast_octet_delta_count + type: long + - name: reverse_post_mcast_octet_total_count + type: long + - name: reverse_post_mcast_packet_delta_count + type: long + - name: reverse_post_mcast_packet_total_count + type: long + - name: reverse_post_mpls_top_label_exp + type: short + - name: reverse_post_napt_destination_transport_port + type: integer + - name: reverse_post_napt_source_transport_port + type: integer + - name: reverse_post_nat_destination_ipv4_address + type: ip + - name: reverse_post_nat_destination_ipv6_address + type: ip + - name: reverse_post_nat_source_ipv4_address + type: ip + - name: reverse_post_nat_source_ipv6_address + type: ip + - name: reverse_post_octet_delta_count + type: long + - name: reverse_post_octet_total_count + type: long + - name: reverse_post_packet_delta_count + type: long + - name: reverse_post_packet_total_count + type: long + - name: reverse_post_source_mac_address + type: keyword + - name: reverse_post_vlan_id + type: integer + - name: reverse_private_enterprise_number + type: long + - name: reverse_protocol_identifier + type: short + - name: reverse_pseudo_wire_control_word + type: long + - name: reverse_pseudo_wire_destination_ipv4_address + type: ip + - name: reverse_pseudo_wire_id + type: long + - name: reverse_pseudo_wire_type + type: integer + - name: reverse_relative_error + type: double + - name: reverse_responder_octets + type: long + - name: reverse_responder_packets + type: long + - name: reverse_rfc3550_jitter_microseconds + type: long + - name: reverse_rfc3550_jitter_milliseconds + type: long + - name: reverse_rfc3550_jitter_nanoseconds + type: long + - name: reverse_rtp_payload_type + type: short + - name: reverse_rtp_sequence_number + type: integer + - name: reverse_sampler_id + type: short + - name: reverse_sampler_mode + type: short + - name: reverse_sampler_name + type: keyword + - name: reverse_sampler_random_interval + type: long + - name: reverse_sampling_algorithm + type: short + - name: reverse_sampling_flow_interval + type: long + - name: reverse_sampling_flow_spacing + type: long + - name: reverse_sampling_interval + type: long + - name: reverse_sampling_packet_interval + type: long + - name: reverse_sampling_packet_space + type: long + - name: reverse_sampling_population + type: long + - name: reverse_sampling_probability + type: double + - name: reverse_sampling_size + type: long + - name: reverse_sampling_time_interval + type: long + - name: reverse_sampling_time_space + type: long + - name: reverse_second_packet_banner + type: keyword + - name: reverse_section_exported_octets + type: integer + - name: reverse_section_offset + type: integer + - name: reverse_selection_sequence_id + type: long + - name: reverse_selector_algorithm + type: integer + - name: reverse_selector_id + type: long + - name: reverse_selector_id_total_flows_observed + type: long + - name: reverse_selector_id_total_flows_selected + type: long + - name: reverse_selector_id_total_pkts_observed + type: long + - name: reverse_selector_id_total_pkts_selected + type: long + - name: reverse_selector_name + type: keyword + - name: reverse_session_scope + type: short + - name: reverse_small_packet_count + type: long + - name: reverse_source_ipv4_address + type: ip + - name: reverse_source_ipv4_prefix + type: ip + - name: reverse_source_ipv4_prefix_length + type: short + - name: reverse_source_ipv6_address + type: ip + - name: reverse_source_ipv6_prefix + type: ip + - name: reverse_source_ipv6_prefix_length + type: short + - name: reverse_source_mac_address + type: keyword + - name: reverse_source_transport_port + type: integer + - name: reverse_src_traffic_index + type: long + - name: reverse_sta_ipv4_address + type: ip + - name: reverse_sta_mac_address + type: keyword + - name: reverse_standard_deviation_interarrival_time + type: long + - name: reverse_standard_deviation_payload_length + type: integer + - name: reverse_system_init_time_milliseconds + type: long + - name: reverse_tcp_ack_total_count + type: long + - name: reverse_tcp_acknowledgement_number + type: long + - name: reverse_tcp_control_bits + type: integer + - name: reverse_tcp_destination_port + type: integer + - name: reverse_tcp_fin_total_count + type: long + - name: reverse_tcp_header_length + type: short + - name: reverse_tcp_options + type: long + - name: reverse_tcp_psh_total_count + type: long + - name: reverse_tcp_rst_total_count + type: long + - name: reverse_tcp_sequence_number + type: long + - name: reverse_tcp_source_port + type: integer + - name: reverse_tcp_syn_total_count + type: long + - name: reverse_tcp_urg_total_count + type: long + - name: reverse_tcp_urgent_pointer + type: integer + - name: reverse_tcp_window_scale + type: integer + - name: reverse_tcp_window_size + type: integer + - name: reverse_total_length_ipv4 + type: integer + - name: reverse_transport_octet_delta_count + type: long + - name: reverse_transport_packet_delta_count + type: long + - name: reverse_tunnel_technology + type: keyword + - name: reverse_udp_destination_port + type: integer + - name: reverse_udp_message_length + type: integer + - name: reverse_udp_source_port + type: integer + - name: reverse_union_tcp_flags + type: short + - name: reverse_upper_ci_limit + type: double + - name: reverse_user_name + type: keyword + - name: reverse_value_distribution_method + type: short + - name: reverse_virtual_station_interface_id + type: keyword + - name: reverse_virtual_station_interface_name + type: keyword + - name: reverse_virtual_station_name + type: keyword + - name: reverse_virtual_station_uuid + type: keyword + - name: reverse_vlan_id + type: integer + - name: reverse_vr_fname + type: keyword + - name: reverse_wlan_channel_id + type: short + - name: reverse_wlan_ssid + type: keyword + - name: reverse_wtp_mac_address + type: keyword + - name: rfc3550_jitter_microseconds + type: long + - name: rfc3550_jitter_milliseconds + type: long + - name: rfc3550_jitter_nanoseconds + type: long + - name: rtp_payload_type + type: short + - name: rtp_sequence_number + type: integer + - name: sampler_id + type: short + - name: sampler_mode + type: short + - name: sampler_name + type: keyword + - name: sampler_random_interval + type: long + - name: sampling_algorithm + type: short + - name: sampling_flow_interval + type: long + - name: sampling_flow_spacing + type: long + - name: sampling_interval + type: long + - name: sampling_packet_interval + type: long + - name: sampling_packet_space + type: long + - name: sampling_population + type: long + - name: sampling_probability + type: double + - name: sampling_size + type: long + - name: sampling_time_interval + type: long + - name: sampling_time_space + type: long + - name: second_packet_banner + type: keyword + - name: section_exported_octets + type: integer + - name: section_offset + type: integer + - name: selection_sequence_id + type: long + - name: selector_algorithm + type: integer + - name: selector_id + type: long + - name: selector_id_total_flows_observed + type: long + - name: selector_id_total_flows_selected + type: long + - name: selector_id_total_pkts_observed + type: long + - name: selector_id_total_pkts_selected + type: long + - name: selector_name + type: keyword + - name: service_name + type: keyword + - name: session_scope + type: short + - name: silk_app_label + type: integer + - name: small_packet_count + type: long + - name: source_ipv4_address + type: ip + - name: source_ipv4_prefix + type: ip + - name: source_ipv4_prefix_length + type: short + - name: source_ipv6_address + type: ip + - name: source_ipv6_prefix + type: ip + - name: source_ipv6_prefix_length + type: short + - name: source_mac_address + type: keyword + - name: source_transport_port + type: integer + - name: source_transport_ports_limit + type: integer + - name: src_traffic_index + type: long + - name: ssl_cert_serial_number + type: keyword + - name: ssl_cert_signature + type: keyword + - name: ssl_cert_validity_not_after + type: keyword + - name: ssl_cert_validity_not_before + type: keyword + - name: ssl_cert_version + type: short + - name: ssl_certificate_hash + type: keyword + - name: ssl_cipher + type: keyword + - name: ssl_client_version + type: short + - name: ssl_compression_method + type: short + - name: ssl_object_type + type: keyword + - name: ssl_object_value + type: keyword + - name: ssl_public_key_algorithm + type: keyword + - name: ssl_public_key_length + type: keyword + - name: ssl_server_cipher + type: long + - name: ssl_server_name + type: keyword + - name: sta_ipv4_address + type: ip + - name: sta_mac_address + type: keyword + - name: standard_deviation_interarrival_time + type: long + - name: standard_deviation_payload_length + type: short + - name: system_init_time_milliseconds + type: date + - name: tcp_ack_total_count + type: long + - name: tcp_acknowledgement_number + type: long + - name: tcp_control_bits + type: integer + - name: tcp_destination_port + type: integer + - name: tcp_fin_total_count + type: long + - name: tcp_header_length + type: short + - name: tcp_options + type: long + - name: tcp_psh_total_count + type: long + - name: tcp_rst_total_count + type: long + - name: tcp_sequence_number + type: long + - name: tcp_source_port + type: integer + - name: tcp_syn_total_count + type: long + - name: tcp_urg_total_count + type: long + - name: tcp_urgent_pointer + type: integer + - name: tcp_window_scale + type: integer + - name: tcp_window_size + type: integer + - name: template_id + type: integer + - name: tftp_filename + type: keyword + - name: tftp_mode + type: keyword + - name: timestamp + type: long + - name: timestamp_absolute_monitoring-interval + type: long + - name: total_length_ipv4 + type: integer + - name: traffic_type + type: short + - name: transport_octet_delta_count + type: long + - name: transport_packet_delta_count + type: long + - name: tunnel_technology + type: keyword + - name: udp_destination_port + type: integer + - name: udp_message_length + type: integer + - name: udp_source_port + type: integer + - name: union_tcp_flags + type: short + - name: upper_ci_limit + type: double + - name: user_name + type: keyword + - name: username + type: keyword + - name: value_distribution_method + type: short + - name: viptela_vpn_id + type: long + - name: virtual_station_interface_id + type: short + - name: virtual_station_interface_name + type: keyword + - name: virtual_station_name + type: keyword + - name: virtual_station_uuid + type: short + - name: vlan_id + type: integer + - name: vmware_egress_interface_attr + type: integer + - name: vmware_ingress_interface_attr + type: integer + - name: vmware_tenant_dest_ipv4 + type: ip + - name: vmware_tenant_dest_ipv6 + type: ip + - name: vmware_tenant_dest_port + type: integer + - name: vmware_tenant_protocol + type: short + - name: vmware_tenant_source_ipv4 + type: ip + - name: vmware_tenant_source_ipv6 + type: ip + - name: vmware_tenant_source_port + type: integer + - name: vmware_vxlan_export_role + type: short + - name: vpn_identifier + type: short + - name: vr_fname + type: keyword + - name: waasoptimization_segment + type: short + - name: wlan_channel_id + type: short + - name: wlan_ssid + type: keyword + - name: wtp_mac_address + type: keyword + - name: xlate_destination_address_ip_v4 + type: ip + - name: xlate_destination_port + type: integer + - name: xlate_source_address_ip_v4 + type: ip + - name: xlate_source_port + type: integer diff --git a/packages/endace/data_stream/log/manifest.yml b/packages/endace/data_stream/log/manifest.yml new file mode 100644 index 00000000000..5d7858a7536 --- /dev/null +++ b/packages/endace/data_stream/log/manifest.yml @@ -0,0 +1,95 @@ +title: NetFlow logs +type: logs +streams: + - input: netflow + template_path: netflow.yml.hbs + title: Collect NetFlow logs + enabled: false + description: Collect NetFlow logs using the netflow input + vars: + - name: host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 2055 + - name: expiration_timeout + type: text + title: Time duration before an idle session or unused template is expired. Valid time units are h, m, s. + multi: false + required: true + show_user: false + default: 30m + - name: internal_networks + type: text + title: Internal Networks + description: List of CIDR ranges describing the IP addresses that is considered internal. This is used in determining the values of `source.locality`, `destination.locality`, and `flow.locality`. The values can be either a CIDR value or one of the named ranges supported by the <> condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + multi: true + required: false + show_user: true + - name: queue_size + type: integer + title: Maximum number of packets that can be queued for processing + multi: false + required: true + show_user: false + default: 8192 + - name: read_buffer + type: text + title: Read Buffer Size + description: | + Sets the size of the OS read buffer on the UDP socket in the format KiB/MiB, an example would be: 10KiB. If it is not set, the existing operating system's default value is used. + required: false + show_user: false + - name: custom_definitions + type: text + title: Custom definitions + multi: true + required: false + show_user: false + default: "" + - name: detect_sequence_reset + type: bool + title: Whether to detect sequence reset + multi: false + required: true + show_user: false + default: true + - name: max_message_size + type: text + title: Maximum size of the message received over UDP + multi: false + required: true + show_user: false + default: 10KiB + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + default: + - netflow + - forwarded + - name: timeout + type: text + title: Read timeout for socket operations. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/endace/data_stream/log/sample_event.json b/packages/endace/data_stream/log/sample_event.json new file mode 100644 index 00000000000..6b21d466690 --- /dev/null +++ b/packages/endace/data_stream/log/sample_event.json @@ -0,0 +1,123 @@ +{ + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "305f6431-67ab-4e0f-8805-2b9d97ae3923", + "id": "246fcb7f-fa5e-4375-95d0-e7962f456b94", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.7.1" + }, + "client": { + "bytes": 719, + "packets": 5 + }, + "data_stream": { + "dataset": "endace.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "246fcb7f-fa5e-4375-95d0-e7962f456b94", + "snapshot": false, + "version": "8.7.1" + }, + "event": { + "action": "netflow_flow", + "agent_id_status": "verified", + "category": [ + "network", + "session" + ], + "created": "2023-07-19T13:23:37.227Z", + "dataset": "endace.log", + "ingested": "2023-07-19T13:23:38Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "172.28.0.4:42750", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184158, + "flow_start_sys_up_time": 564184140, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 719, + "initiator_packets": 5, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 719, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 5, + "transport": "tcp" + }, + "observer": { + "ip": [ + "172.28.0.4" + ] + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 719, + "packets": 5 + }, + "tags": [ + "netflow", + "forwarded" + ] +} diff --git a/packages/endace/docs/README.md b/packages/endace/docs/README.md new file mode 100644 index 00000000000..e0426775db6 --- /dev/null +++ b/packages/endace/docs/README.md @@ -0,0 +1,417 @@ +# Endace + +Endace is a company known for its network recording, traffic capture, and analysis technology. Endace's solutions are often used for network security, performance monitoring, and troubleshooting. +This integration allows users to ingest Network flow data from either Endace Flow via syslog input or use Elastic Agent to generate and ship Network Flow data to an Elastic deployment. Both of these methods add the `event.reference` field to each event when ingested into Elasticsearch which is a URL used to pivot to Endace. + + +## Additional Setup + +### Dataview +Once the integration is deployed, in order for the pivot link to be clickable to format for the `event.reference` field needs to be set, this can be done via Kibana Dev Tools and making the following request: +``` +POST kbn:/api/data_views/data_view/logs-*/fields +{ + "fields": { + "event.reference": { + "format":{ + "id": "url" + } + } + } +} +``` + +### IP Reputation +When in Elastic Security users are able to quickly lookup information about IPs from external services, to add Endace as an IP Reputation lookup service run the following in Kibana Dev Tools. Ensure to replace `` with your Endace appliance URL. + +``` +POST kbn:/api/kibana/settings +{"changes":{"securitySolution:ipReputationLinks": """[ + { "name": "Endace", "url_template": "https:///vision2/v1/pivotintovision/?datasources=tag:all&title=Untitled&reltime=12h&sip={{ip}}&tools=conversations_by_ipaddress" }, + { "name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{ip}}" }, + { "name": "talosIntelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{ip}}" } +]"""}} +``` + + +## Integration Variables +#### `endace_url` +The base URL for Endace UI. Example: https://myvprobe.com + +#### `endace_datasources` +The datasource within Endace to pivot to. Example: tag:rotation-file + +#### `endace_tools` +The tools to use within the Endace Pivot. Example: trafficOverTime_by_app,conversations_by_ipaddress + + +#### `endace_lookback` +The lookback time in Minutes of how long to look back over ontop of the event start and finish time. + +## Endace Flow +#### `map_to_ecs` + +Remap any non-ECS Packetbeat fields in root to their correct ECS fields. +This will rename fields that are moved so the fields will not be present +at the root of the document and so any rules that depend on the fields +will need to be updated. + +The legacy behaviour of this option is to not remap to ECS. This behaviour +is still the default, but is deprecated and users are encouraged to set +this option to true. + +ECS remapping may have an impact on workflows that depend on the identity +of non-ECS fields, and users should assess their use of these fields before +making the change. Users who need to retain data collected with the legacy +mappings may need to re-index their older documents. Instructions for doing +this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +The pipeline used to perform ECS remapping for each data stream can be found +in `Stack Management`›`Ingest Pipelines` and and searching for +"logs-network_traffic compatibility". + +The deprecation and retirement timeline for legacy behavior is available +[here](https://github.com/elastic/integrations/issues/8185). + +#### `enabled` + +The enabled setting is a boolean setting to enable or disable protocols +without having to comment out configuration sections. If set to false, +the protocol is disabled. + +The default value is true. + +#### `ports` + +Exception: For ICMP the option `enabled` has to be used instead. + +The ports where Network Packet Capture will look to capture traffic for specific +protocols. Network Packet Capture installs a +[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based +on the ports specified in this section. If a packet doesn’t match the +filter, very little CPU is required to discard the packet. Network Packet Capture +also uses the ports specified here to determine which parser to use for +each packet. + +#### `monitor_processes` + +If this option is enabled then network traffic events will be enriched +with information about the process associated with the events. + +The default value is false. + +#### `send_request` + +If this option is enabled, the raw message of the request (`request` +field) is sent to Elasticsearch. The default is false. This option is +useful when you want to index the whole request. Note that for HTTP, the +body is not included by default, only the HTTP headers. + +#### `send_response` + +If this option is enabled, the raw message of the response (`response` +field) is sent to Elasticsearch. The default is false. This option is +useful when you want to index the whole response. Note that for HTTP, +the body is not included by default, only the HTTP headers. + +#### `transaction_timeout` + +The per protocol transaction timeout. Expired transactions will no +longer be correlated to incoming responses, but sent to Elasticsearch +immediately. + +#### `tags` + +A list of tags that will be sent with the transaction event. This +setting is optional. + +#### `processors` + +A list of processors to apply to the data generated by the protocol. + +#### `keep_null` + +If this option is set to true, fields with `null` values will be +published in the output document. By default, `keep_null` is set to +`false`. + + +## Network Flows + +Overall flow information about the network connections on a +host. + +You can configure Network Packet Capture to collect and report statistics +on network flows. A *flow* is a group of packets sent over the same time +period that share common properties, such as the same source and destination +address and protocol. You can use this feature to analyze network +traffic over specific protocols on your network. + +For each flow, Network Packet Capture reports the number of packets and the +total number of bytes sent from the source to the destination. Each flow event +also contains information about the source and destination hosts, such +as their IP address. For bi-directional flows, Network Packet Capture reports +statistics for the reverse flow. + +Network Packet Capture collects and reports statistics up to and including the +transport layer. + +**Configuration options** + +You can specify the following options for capturing flows. + +#### `enabled` + +Enables flows support if set to true. Set to false to disable network +flows support without having to delete or comment out the flows section. +The default value is true. + +#### `timeout` + +Timeout configures the lifetime of a flow. If no packets have been +received for a flow within the timeout time window, the flow is killed +and reported. The default value is 30s. + +#### `period` + +Configure the reporting interval. All flows are reported at the very +same point in time. Periodical reporting can be disabled by setting the +value to -1. If disabled, flows are still reported once being timed out. +The default value is 10s. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | +| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| network_traffic.flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| network_traffic.flow.id | Internal flow ID based on connection meta data and address. | keyword | +| network_traffic.flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| network_traffic.status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.start | The time the process started. | date | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.geo.city_name | City name. | keyword | +| server.geo.continent_name | Name of the continent. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.country_name | Country name. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| server.geo.region_iso_code | Region ISO code. | keyword | +| server.geo.region_name | Region name. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `flow` looks as following: + +```json +{ + "@timestamp": "2023-10-16T22:40:20.005Z", + "agent": { + "ephemeral_id": "005dde79-7459-4b47-ae00-972086b4f5db", + "id": "f923dfe0-3acb-4f62-9ab4-1fabb8e8e112", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.6.2" + }, + "data_stream": { + "dataset": "endace.flow", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 64, + "ip": "::1", + "packets": 1, + "port": 8000 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "f923dfe0-3acb-4f62-9ab4-1fabb8e8e112", + "snapshot": false, + "version": "8.6.2" + }, + "event": { + "action": "network_flow", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "endace.flow", + "duration": 73561, + "end": "2023-10-16T22:39:45.677Z", + "ingested": "2023-10-16T22:40:21Z", + "kind": "event", + "start": "2023-10-16T22:39:45.677Z", + "type": [ + "connection", + "end" + ] + }, + "flow": { + "final": true, + "id": "QAT///////8A////IP8AAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAUAfeMg" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "f91b175388d443fca5c155815dfc2279", + "ip": [ + "172.19.0.7" + ], + "mac": [ + "02-42-AC-13-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.15.49-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.5 LTS (Focal Fossa)" + } + }, + "network": { + "bytes": 152, + "community_id": "1:5y9AkdbV9U8xqD9dhlj6obkubHg=", + "packets": 2, + "transport": "tcp", + "type": "ipv6" + }, + "source": { + "bytes": 88, + "ip": "::1", + "packets": 1, + "port": 51320 + }, + "type": "flow" +} + +``` + +## Licensing for Windows Systems + +The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/endace/img/endace-logo.svg b/packages/endace/img/endace-logo.svg new file mode 100644 index 00000000000..ba061f239a1 --- /dev/null +++ b/packages/endace/img/endace-logo.svg @@ -0,0 +1,12 @@ + + + + + + + + \ No newline at end of file diff --git a/packages/endace/img/endace-screenshot-1.png b/packages/endace/img/endace-screenshot-1.png new file mode 100644 index 00000000000..3958c77942d Binary files /dev/null and b/packages/endace/img/endace-screenshot-1.png differ diff --git a/packages/endace/manifest.yml b/packages/endace/manifest.yml new file mode 100644 index 00000000000..962f805a7cc --- /dev/null +++ b/packages/endace/manifest.yml @@ -0,0 +1,99 @@ +format_version: 3.0.0 +name: endace +title: "Endace" +version: 0.1.0 +source: + license: "Elastic-2.0" +description: "This Endace integration configures Network Packet Capture for flow generation and adds a pivot field to your Endace platform." +type: integration +categories: + - aws + - cloud + - custom + - network +conditions: + kibana: + version: ^8.6.2 + elastic: + subscription: "basic" +screenshots: + - src: /img/endace-screenshot-1.png + title: Endace + size: 600x600 + type: image/png +icons: + - src: /img/endace-logo.svg + title: Endace logo + size: 128x128 + type: image/svg+xml +vars: + - name: endace_url + type: text + title: Endace UI URL + multi: false + required: true + show_user: true + description: "Base URL for Endace UI. Example: https://myvprobe.com" + - name: endace_datasources + type: text + title: Endace Datasources + description: Datasource within Endace + multi: false + required: true + show_user: false + default: "tag:rotation-file" + - name: endace_tools + type: text + title: Endace Tools + description: Tools within Endace + multi: false + required: true + show_user: false + default: "trafficOverTime_by_app,conversations_by_ipaddress" + - name: endace_lookback + type: text + title: Endace Lookback Time + description: Lookback time in minutes. Example 10 + multi: false + required: true + show_user: false + default: "10" +policy_templates: + - name: endace + title: Endace Flow logs + description: Capture network traffic via Endace Flow or Network Packet Capture + inputs: + - type: packet + title: Capture network traffic + description: Collecting network traffic. Use this if using Endace vProbe + vars: + - name: interface + type: text + title: Interface + required: false + show_user: true + - name: never_install + type: bool + title: Never Install Npcap on Windows + description: |- + On Windows, the Network Packet Capture integration requires an Npcap DLL installation. + This is provided by the integration for users of the Elastic Licenced version. In some + cases users may wish to use their own installed version. In order to allow this, this + option can be used. Setting it to `true` will disable installation of the bundled Npcap + library. + + Note that if there is no Npcap installed the integration will not function, and versions + of the Npcap library other than the bundled version may not provide functionality required + by the integration. + required: false + show_user: false + default: false + - type: netflow + title: Collect Endace Flow logs + description: Collecting Endace Flow logs using the netflow input +agent: + privileges: + root: true +owner: + github: elastic/sec-deployment-and-devices + type: partner diff --git a/packages/endace/validation.yml b/packages/endace/validation.yml new file mode 100644 index 00000000000..9dcaa3b03ff --- /dev/null +++ b/packages/endace/validation.yml @@ -0,0 +1,5 @@ +errors: + exclude_checks: + - SVR00002 # Mandatory filters in dashboards. + - SVR00004 # References in dashboards. + - SVR00005 # Kibana version for saved tags.