From 556edb99718a947e3e88b68d30af6e280f7da518 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Fri, 22 Nov 2024 15:42:57 +0100 Subject: [PATCH] [Rules migration] Adding initial implementation of integration RAG (#200922) ## Summary This is part 1 of a 2-3 part PR. This involes the initial implementation of the integration RAG, while part 2 focuses on prompt tuning, and a potential part 3 is the change from local JSON file to EPR client and further tuning of prompts and search result ranking. The change introduces a new feature to the rule migration, enriching the current graph implementation with metadata from available integrations, allowing us to currently choose the correct index patterns needed if a relevant integration is found. Changes in the PR: - Introduction of the `integration data client`, which might later be moved under resource. - Moving` translate_rule` node to its own subgraph, then divided into multiple nodes to support the RAG search step. - The creation and population of the index used to store the integration metadata, together with the `semantic_text` mapping used by the default included ELSER model. - Updates to `elastic_rule` type, to include the integration ID's and index patterns. ## Example finished task: ```json [ { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language": "spl", "mitre_attack_ids": [ "T1136" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:01.397Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `sourcetype=\"linux:audit\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\n\n2. Event type filtering:\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \"ADD_USER\"` to achieve the same filtering.\n\n3. Field renaming:\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\n\n4. Statistics calculation:\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\n - The grouping fields are adjusted to match ECS field names:\n - `exe` -> `process.executable`\n - `pid` -> `process.pid`\n - `dest` remains the same (after renaming)\n - `res` -> `event.outcome`\n - `UID` -> `user.id`\n - `type` -> `event.type`\n\n5. Time conversion:\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\n\n6. Additional notes:\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\n\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\n| WHERE event.type == \"ADD_USER\"\n| RENAME host.hostname AS dest\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "index_patterns": [ "logs-system_audit.package-*", "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*", "logs-auditd.log-*" ], "query_language": "esql", "title": "Linux Auditd Add User Account Type", "integration_ids": [ "system_audit", "endpoint", "auditd" ] }, "_id": "8eKDTpMBwtRPKDL_CLKW" }, { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:04.527Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\n\n2. Field mapping:\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\n - `process_exec` is mapped to `process.executable` in ECS.\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\n - `_time` is replaced with `@timestamp` in ECS.\n\n3. Filtering:\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\n - We're checking for \"chown\" in the process executable and \"root\" in the process arguments.\n\n4. Statistics:\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\n - The `BY` clause groups the results by the relevant fields.\n\n5. Sorting:\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\n\n6. Removed:\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\n\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\n| WHERE process.executable LIKE \"%chown%\" AND process.args LIKE \"%root%\"\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \n process.command_line, \n process.args, \n host.name\n| SORT count DESC", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "index_patterns": [ "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*" ], "query_language": "esql", "title": "Linux Auditd Change File Owner To Root", "integration_ids": [ "endpoint" ] }, "_id": "8uKDTpMBwtRPKDL_CLKW" } ] ``` ## Testing locally Enable the flag ``` xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled'] ``` Create the rule migration, add relevant macro resources and initiate the task. cURL request examples:
Rules migration `create` POST request ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language":"spl", "mitre_attack_ids": [ "T1136" ] }, { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] } ]' ```
Add resources to migration ID - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/respirces' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "type": "macro", "name": "security_content_ctime", "content": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)" }, { "type": "macro", "name": "linux_auditd_add_user_account_type_filter", "content": "search *" }, { "type": "macro", "name": "linux_auditd", "content": "sourcetype=\"linux:audit\"" }, { "type": "macro", "name": "linux_auditd_change_file_owner_to_root_filter", "content": "search *" } ]' ```
Rules migration `start` task request - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '{ "connectorId": "azureOpenAiGPT4o" }' ```
--- .../model/rule_migration.gen.ts | 4 + .../model/rule_migration.schema.yaml | 5 + .../lib/siem_migrations/rules/api/create.ts | 4 +- .../rules/data/__mocks__/mocks.ts | 5 + .../rules/data/integrations_temp.json | 6881 +++++++++++++++++ .../data/rule_migrations_data_base_client.ts | 2 +- .../rules/data/rule_migrations_data_client.ts | 10 +- ...ule_migrations_data_integrations_client.ts | 89 + .../data/rule_migrations_data_service.test.ts | 29 +- .../data/rule_migrations_data_service.ts | 12 +- .../rules/data/rule_migrations_field_maps.ts | 12 + .../siem_migrations/rules/task/agent/graph.ts | 10 +- .../prompts/replace_resources_prompt.ts | 83 - .../agent/sub_graphs/translate_rule/graph.ts | 53 + .../translate_rule}/index.ts | 3 +- .../nodes/process_query/index.ts | 7 + .../nodes/process_query/process_query.ts | 34 + .../nodes/process_query/prompts.ts | 123 + .../nodes/retrieve_integrations/index.ts | 7 + .../nodes/retrieve_integrations/prompts.ts | 48 + .../retrieve_integrations.ts | 44 + .../esql_knowledge_base_caller.ts | 0 .../nodes/translate_rule/index.ts | 7 + .../nodes/translate_rule/prompts.ts} | 11 +- .../nodes/translate_rule/translate_rule.ts} | 34 +- .../agent/sub_graphs/translate_rule/state.ts | 48 + .../agent/sub_graphs/translate_rule/types.ts | 25 + .../siem_migrations/rules/task/agent/types.ts | 4 +- .../rules/task/rule_migrations_task_client.ts | 15 +- .../task/util/integration_retriever.test.ts | 38 + .../rules/task/util/integration_retriever.ts | 23 + .../server/lib/siem_migrations/rules/types.ts | 8 + 32 files changed, 7542 insertions(+), 136 deletions(-) create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/integrations_temp.json create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_integrations_client.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/prompts/replace_resources_prompt.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/graph.ts rename x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/{nodes/translate_query => sub_graphs/translate_rule}/index.ts (81%) create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/index.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/process_query.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/prompts.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/index.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/prompts.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/retrieve_integrations.ts rename x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/{nodes/translate_query => sub_graphs/translate_rule/nodes/translate_rule}/esql_knowledge_base_caller.ts (100%) create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/index.ts rename x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/{nodes/translate_query/prompts/esql_translation_prompt.ts => sub_graphs/translate_rule/nodes/translate_rule/prompts.ts} (85%) rename x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/{nodes/translate_query/translate_query.ts => sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts} (61%) create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/state.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/types.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/integration_retriever.test.ts create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/integration_retriever.ts diff --git a/x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts b/x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts index 0554ef18a13f7..38d7e2c4584bb 100644 --- a/x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts +++ b/x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts @@ -88,6 +88,10 @@ export const ElasticRule = z.object({ * The Elastic prebuilt rule id matched. */ prebuilt_rule_id: NonEmptyString.optional(), + /** + * The Elastic integration IDs related to the rule. + */ + integration_ids: z.array(z.string()).optional(), /** * The Elastic rule id installed as a result. */ diff --git a/x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml b/x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml index 95ff05df39a15..552d192a641f3 100644 --- a/x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml +++ b/x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml @@ -73,6 +73,11 @@ components: prebuilt_rule_id: description: The Elastic prebuilt rule id matched. $ref: './common.schema.yaml#/components/schemas/NonEmptyString' + integration_ids: + type: array + items: + type: string + description: The Elastic integration IDs related to the rule. id: description: The Elastic rule id installed as a result. $ref: './common.schema.yaml#/components/schemas/NonEmptyString' diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/create.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/create.ts index a937560842f74..21a17bb7834a1 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/create.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/create.ts @@ -8,11 +8,11 @@ import type { IKibanaResponse, Logger } from '@kbn/core/server'; import { buildRouteValidationWithZod } from '@kbn/zod-helpers'; import { v4 as uuidV4 } from 'uuid'; +import { SIEM_RULE_MIGRATIONS_PATH } from '../../../../../common/siem_migrations/constants'; import { CreateRuleMigrationRequestBody, type CreateRuleMigrationResponse, } from '../../../../../common/siem_migrations/model/api/rules/rule_migration.gen'; -import { SIEM_RULE_MIGRATIONS_PATH } from '../../../../../common/siem_migrations/constants'; import type { SecuritySolutionPluginRouter } from '../../../../types'; import type { CreateRuleMigrationInput } from '../data/rule_migrations_data_rules_client'; import { withLicense } from './util/with_license'; @@ -47,7 +47,7 @@ export const registerSiemRuleMigrationsCreateRoute = ( migration_id: migrationId, original_rule: originalRule, })); - + await ruleMigrationsClient.data.integrations.create(); await ruleMigrationsClient.data.rules.create(ruleMigrations); return res.ok({ body: { migration_id: migrationId } }); diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/__mocks__/mocks.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/__mocks__/mocks.ts index 34e68d8a47369..d8dc1bb168a72 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/__mocks__/mocks.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/__mocks__/mocks.ts @@ -32,10 +32,15 @@ export const MockRuleMigrationsDataResourcesClient = jest .fn() .mockImplementation(() => mockRuleMigrationsDataResourcesClient); +export const mockRuleMigrationsDataIntegrationsClient = { + retrieveIntegrations: jest.fn().mockResolvedValue([]), +}; + // Rule migrations data client export const mockRuleMigrationsDataClient = { rules: mockRuleMigrationsDataRulesClient, resources: mockRuleMigrationsDataResourcesClient, + integrations: mockRuleMigrationsDataIntegrationsClient, }; export const MockRuleMigrationsDataClient = jest diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/integrations_temp.json b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/integrations_temp.json new file mode 100644 index 0000000000000..9c312bb38e3d6 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/integrations_temp.json @@ -0,0 +1,6881 @@ +[ + { + "title": "Containerd", + "id": "containerd", + "description": "Collect metrics from containerd containers.", + "data_streams": [ + { + "dataset": "memory", + "index_pattern": "logs-containerd.memory-*", + "title": "Containerd memory metrics" + }, + { + "dataset": "blkio", + "index_pattern": "logs-containerd.blkio-*", + "title": "Containerd blkio metrics" + }, + { + "dataset": "cpu", + "index_pattern": "logs-containerd.cpu-*", + "title": "Containerd cpu metrics" + } + ], + "elser_embedding": "Containerd - Collect metrics from containerd containers. - Containerd memory metrics Containerd blkio metrics Containerd cpu metrics" + }, + { + "title": "Google Santa", + "id": "santa", + "description": "Collect logs from Google Santa with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-santa.log-*", + "title": "Google Santa log logs" + } + ], + "elser_embedding": "Google Santa - Collect logs from Google Santa with Elastic Agent. - Google Santa log logs" + }, + { + "title": "Keycloak", + "id": "keycloak", + "description": "Collect logs from Keycloak with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-keycloak.log-*", + "title": "Keycloak" + } + ], + "elser_embedding": "Keycloak - Collect logs from Keycloak with Elastic Agent. - Keycloak" + }, + { + "title": "Infoblox NIOS", + "id": "infoblox_nios", + "description": "Collect logs from Infoblox NIOS with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-infoblox_nios.log-*", + "title": "Infoblox NIOS logs" + } + ], + "elser_embedding": "Infoblox NIOS - Collect logs from Infoblox NIOS with Elastic Agent. - Infoblox NIOS logs" + }, + { + "title": "LastPass", + "id": "lastpass", + "description": "Collect logs from LastPass with Elastic Agent.", + "data_streams": [ + { + "dataset": "detailed_shared_folder", + "index_pattern": "logs-lastpass.detailed_shared_folder-*", + "title": "Collect Detailed Shared Folder logs from LastPass" + }, + { + "dataset": "user", + "index_pattern": "logs-lastpass.user-*", + "title": "Collect User logs from LastPass" + }, + { + "dataset": "event_report", + "index_pattern": "logs-lastpass.event_report-*", + "title": "Collect Event Report logs from LastPass" + } + ], + "elser_embedding": "LastPass - Collect logs from LastPass with Elastic Agent. - Collect Detailed Shared Folder logs from LastPass Collect User logs from LastPass Collect Event Report logs from LastPass" + }, + { + "title": "IBM MQ", + "id": "ibmmq", + "description": "Collect logs and metrics from IBM MQ with Elastic Agent.", + "data_streams": [ + { + "dataset": "qmgr", + "index_pattern": "logs-ibmmq.qmgr-*", + "title": "IBM MQ Queue Manager performance metrics" + }, + { + "dataset": "errorlog", + "index_pattern": "logs-ibmmq.errorlog-*", + "title": "IBM MQ Error logs" + } + ], + "elser_embedding": "IBM MQ - Collect logs and metrics from IBM MQ with Elastic Agent. - IBM MQ Queue Manager performance metrics IBM MQ Error logs" + }, + { + "title": "Jamf Protect", + "id": "jamf_protect", + "description": "Receives events from Jamf Protect with Elastic Agent.", + "data_streams": [ + { + "dataset": "web_traffic_events", + "index_pattern": "logs-jamf_protect.web_traffic_events-*", + "title": "Receives Web Traffic Events from Jamf Protect with Elastic Agent." + }, + { + "dataset": "telemetry_legacy", + "index_pattern": "logs-jamf_protect.telemetry_legacy-*", + "title": "Jamf Protect Telemetry (Legacy)." + }, + { + "dataset": "web_threat_events", + "index_pattern": "logs-jamf_protect.web_threat_events-*", + "title": "Receives Web Threat Events from Jamf Protect with Elastic Agent." + }, + { + "dataset": "telemetry", + "index_pattern": "logs-jamf_protect.telemetry-*", + "title": "Receives Telemetry from Jamf Protect with Elastic Agent." + }, + { + "dataset": "alerts", + "index_pattern": "logs-jamf_protect.alerts-*", + "title": "Receives Alerts from Jamf Protect with Elastic Agent." + } + ], + "elser_embedding": "Jamf Protect - Receives events from Jamf Protect with Elastic Agent. - Receives Web Traffic Events from Jamf Protect with Elastic Agent. Jamf Protect Telemetry (Legacy). Receives Web Threat Events from Jamf Protect with Elastic Agent. Receives Telemetry from Jamf Protect with Elastic Agent. Receives Alerts from Jamf Protect with Elastic Agent." + }, + { + "title": "Sysmon for Linux", + "id": "sysmon_linux", + "description": "Collect Sysmon Linux logs with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-sysmon_linux.log-*", + "title": "Sysmon for Linux logs" + } + ], + "elser_embedding": "Sysmon for Linux - Collect Sysmon Linux logs with Elastic Agent. - Sysmon for Linux logs" + }, + { + "title": "Trend Micro Deep Security", + "id": "trendmicro", + "description": "Collect logs from Trend Micro Deep Security with Elastic Agent.", + "data_streams": [ + { + "dataset": "deep_security", + "index_pattern": "logs-trendmicro.deep_security-*", + "title": "Collect logs from Trend Micro Deep Security" + } + ], + "elser_embedding": "Trend Micro Deep Security - Collect logs from Trend Micro Deep Security with Elastic Agent. - Collect logs from Trend Micro Deep Security" + }, + { + "title": "HAProxy", + "id": "haproxy", + "description": "Collect logs and metrics from HAProxy servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "info", + "index_pattern": "logs-haproxy.info-*", + "title": "HAProxy info metrics" + }, + { + "dataset": "stat", + "index_pattern": "logs-haproxy.stat-*", + "title": "HAProxy stat metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-haproxy.log-*", + "title": "HAProxy logs" + } + ], + "elser_embedding": "HAProxy - Collect logs and metrics from HAProxy servers with Elastic Agent. - HAProxy info metrics HAProxy stat metrics HAProxy logs" + }, + { + "title": "ESET Threat Intelligence", + "id": "ti_eset", + "description": "Ingest threat intelligence indicators from ESET Threat Intelligence with Elastic Agent.", + "data_streams": [ + { + "dataset": "cc", + "index_pattern": "logs-ti_eset.cc-*", + "title": "Botnet C&C" + }, + { + "dataset": "url", + "index_pattern": "logs-ti_eset.url-*", + "title": "URL" + }, + { + "dataset": "domains", + "index_pattern": "logs-ti_eset.domains-*", + "title": "Domain" + }, + { + "dataset": "files", + "index_pattern": "logs-ti_eset.files-*", + "title": "Malicious files" + }, + { + "dataset": "apt", + "index_pattern": "logs-ti_eset.apt-*", + "title": "APT" + }, + { + "dataset": "ip", + "index_pattern": "logs-ti_eset.ip-*", + "title": "IP" + }, + { + "dataset": "botnet", + "index_pattern": "logs-ti_eset.botnet-*", + "title": "Botnet" + } + ], + "elser_embedding": "ESET Threat Intelligence - Ingest threat intelligence indicators from ESET Threat Intelligence with Elastic Agent. - Botnet C&C URL Domain Malicious files APT IP Botnet" + }, + { + "title": "Lyve Cloud", + "id": "lyve_cloud", + "description": "Collect S3 API audit log from Lyve Cloud with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-lyve_cloud.audit-*", + "title": "Lyve Cloud logs" + } + ], + "elser_embedding": "Lyve Cloud - Collect S3 API audit log from Lyve Cloud with Elastic Agent. - Lyve Cloud logs" + }, + { + "title": "Tanium", + "id": "tanium", + "description": "This Elastic integration collects logs from Tanium with Elastic Agent.", + "data_streams": [ + { + "dataset": "discover", + "index_pattern": "logs-tanium.discover-*", + "title": "Collect Tanium Discover logs from Tanium" + }, + { + "dataset": "threat_response", + "index_pattern": "logs-tanium.threat_response-*", + "title": "Collect Threat Response logs from Tanium." + }, + { + "dataset": "client_status", + "index_pattern": "logs-tanium.client_status-*", + "title": "Client Status" + }, + { + "dataset": "reporting", + "index_pattern": "logs-tanium.reporting-*", + "title": "Reporting" + }, + { + "dataset": "action_history", + "index_pattern": "logs-tanium.action_history-*", + "title": "Collect Action History logs from Tanium." + }, + { + "dataset": "endpoint_config", + "index_pattern": "logs-tanium.endpoint_config-*", + "title": "Collect Endpoint Config logs from Tanium" + } + ], + "elser_embedding": "Tanium - This Elastic integration collects logs from Tanium with Elastic Agent. - Collect Tanium Discover logs from Tanium Collect Threat Response logs from Tanium. Client Status Reporting Collect Action History logs from Tanium. Collect Endpoint Config logs from Tanium" + }, + { + "title": "SonicWall Firewall", + "id": "sonicwall_firewall", + "description": "Integration for SonicWall firewall logs", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-sonicwall_firewall.log-*", + "title": "SonicWall Firewall logs" + } + ], + "elser_embedding": "SonicWall Firewall - Integration for SonicWall firewall logs - SonicWall Firewall logs" + }, + { + "title": "STAN", + "id": "stan", + "description": "Collect logs and metrics from STAN servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "stats", + "index_pattern": "logs-stan.stats-*", + "title": "Stan stats metrics" + }, + { + "dataset": "subscriptions", + "index_pattern": "logs-stan.subscriptions-*", + "title": "Stan subscriptions metrics" + }, + { + "dataset": "channels", + "index_pattern": "logs-stan.channels-*", + "title": "Stan channels metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-stan.log-*", + "title": "STAN logs" + } + ], + "elser_embedding": "STAN - Collect logs and metrics from STAN servers with Elastic Agent. - Stan stats metrics Stan subscriptions metrics Stan channels metrics STAN logs" + }, + { + "title": "Amazon Bedrock", + "id": "aws_bedrock", + "description": "Collect Amazon Bedrock model invocation logs and runtime metrics with Elastic Agent.", + "data_streams": [ + { + "dataset": "runtime", + "index_pattern": "logs-aws_bedrock.runtime-*", + "title": "Amazon Bedrock Runtime Metrics" + }, + { + "dataset": "invocation", + "index_pattern": "logs-aws_bedrock.invocation-*", + "title": "Amazon Bedrock model invocation logs" + } + ], + "elser_embedding": "Amazon Bedrock - Collect Amazon Bedrock model invocation logs and runtime metrics with Elastic Agent. - Amazon Bedrock Runtime Metrics Amazon Bedrock model invocation logs" + }, + { + "title": "Microsoft M365 Defender", + "id": "m365_defender", + "description": "Collect logs from Microsoft M365 Defender with Elastic Agent.", + "data_streams": [ + { + "dataset": "alert", + "index_pattern": "logs-m365_defender.alert-*", + "title": "Collect Alert logs from Microsoft 365 Defender" + }, + { + "dataset": "log", + "index_pattern": "logs-m365_defender.log-*", + "title": "M365 Defender Logs" + }, + { + "dataset": "incident", + "index_pattern": "logs-m365_defender.incident-*", + "title": "Collect Incident logs from Microsoft 365 Defender" + }, + { + "dataset": "event", + "index_pattern": "logs-m365_defender.event-*", + "title": "Collect Event logs from Microsoft 365 Defender." + } + ], + "elser_embedding": "Microsoft M365 Defender - Collect logs from Microsoft M365 Defender with Elastic Agent. - Collect Alert logs from Microsoft 365 Defender M365 Defender Logs Collect Incident logs from Microsoft 365 Defender Collect Event logs from Microsoft 365 Defender." + }, + { + "title": "NATS", + "id": "nats", + "description": "Collect logs and metrics from NATS servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "stats", + "index_pattern": "logs-nats.stats-*", + "title": "NATS stats metrics" + }, + { + "dataset": "route", + "index_pattern": "logs-nats.route-*", + "title": "NATS route metrics" + }, + { + "dataset": "connection", + "index_pattern": "logs-nats.connection-*", + "title": "NATS connection metrics" + }, + { + "dataset": "subscriptions", + "index_pattern": "logs-nats.subscriptions-*", + "title": "NATS subscriptions metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-nats.log-*", + "title": "NATS logs" + }, + { + "dataset": "routes", + "index_pattern": "logs-nats.routes-*", + "title": "NATS routes metrics" + }, + { + "dataset": "connections", + "index_pattern": "logs-nats.connections-*", + "title": "NATS connections metrics" + } + ], + "elser_embedding": "NATS - Collect logs and metrics from NATS servers with Elastic Agent. - NATS stats metrics NATS route metrics NATS connection metrics NATS subscriptions metrics NATS logs NATS routes metrics NATS connections metrics" + }, + { + "title": "GoFlow2 logs", + "id": "goflow2", + "description": "Collect logs from goflow2 with Elastic Agent.", + "data_streams": [ + { + "dataset": "sflow", + "index_pattern": "logs-goflow2.sflow-*", + "title": "Goflow2 sFlow" + } + ], + "elser_embedding": "GoFlow2 logs - Collect logs from goflow2 with Elastic Agent. - Goflow2 sFlow" + }, + { + "title": "Microsoft Defender for Cloud", + "id": "microsoft_defender_cloud", + "description": "Collect logs from Microsoft Defender for Cloud with Elastic Agent.", + "data_streams": [ + { + "dataset": "event", + "index_pattern": "logs-microsoft_defender_cloud.event-*", + "title": "Collect Event(Alert and Recommendation) logs from Microsoft Defender for Cloud." + } + ], + "elser_embedding": "Microsoft Defender for Cloud - Collect logs from Microsoft Defender for Cloud with Elastic Agent. - Collect Event(Alert and Recommendation) logs from Microsoft Defender for Cloud." + }, + { + "title": "RabbitMQ Logs and Metrics", + "id": "rabbitmq", + "description": "Collect and parse logs from RabbitMQ servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "queue", + "index_pattern": "logs-rabbitmq.queue-*", + "title": "RabbitMQ queue metrics" + }, + { + "dataset": "exchange", + "index_pattern": "logs-rabbitmq.exchange-*", + "title": "RabbitMQ exchange metrics" + }, + { + "dataset": "connection", + "index_pattern": "logs-rabbitmq.connection-*", + "title": "RabbitMQ connection metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-rabbitmq.log-*", + "title": "RabbitMQ application logs" + }, + { + "dataset": "node", + "index_pattern": "logs-rabbitmq.node-*", + "title": "RabbitMQ node metrics" + } + ], + "elser_embedding": "RabbitMQ Logs and Metrics - Collect and parse logs from RabbitMQ servers with Elastic Agent. - RabbitMQ queue metrics RabbitMQ exchange metrics RabbitMQ connection metrics RabbitMQ application logs RabbitMQ node metrics" + }, + { + "title": "Apache Tomcat", + "id": "apache_tomcat", + "description": "Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "catalina", + "index_pattern": "logs-apache_tomcat.catalina-*", + "title": "Apache Tomcat Catalina logs" + }, + { + "dataset": "memory", + "index_pattern": "logs-apache_tomcat.memory-*", + "title": "Apache Tomcat Memory metrics" + }, + { + "dataset": "access", + "index_pattern": "logs-apache_tomcat.access-*", + "title": "Apache Tomcat Access logs" + }, + { + "dataset": "cache", + "index_pattern": "logs-apache_tomcat.cache-*", + "title": "Apache Tomcat Cache metrics" + }, + { + "dataset": "request", + "index_pattern": "logs-apache_tomcat.request-*", + "title": "Apache Tomcat Request metrics" + }, + { + "dataset": "session", + "index_pattern": "logs-apache_tomcat.session-*", + "title": "Apache Tomcat Session metrics" + }, + { + "dataset": "localhost", + "index_pattern": "logs-apache_tomcat.localhost-*", + "title": "Apache Tomcat Localhost logs" + }, + { + "dataset": "connection_pool", + "index_pattern": "logs-apache_tomcat.connection_pool-*", + "title": "Apache Tomcat Connection Pool metrics" + }, + { + "dataset": "thread_pool", + "index_pattern": "logs-apache_tomcat.thread_pool-*", + "title": "Apache Tomcat Thread Pool metrics" + } + ], + "elser_embedding": "Apache Tomcat - Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent. - Apache Tomcat Catalina logs Apache Tomcat Memory metrics Apache Tomcat Access logs Apache Tomcat Cache metrics Apache Tomcat Request metrics Apache Tomcat Session metrics Apache Tomcat Localhost logs Apache Tomcat Connection Pool metrics Apache Tomcat Thread Pool metrics" + }, + { + "title": "CylanceProtect Logs", + "id": "cylance", + "description": "Collect logs from CylanceProtect devices with Elastic Agent.", + "data_streams": [ + { + "dataset": "protect", + "index_pattern": "logs-cylance.protect-*", + "title": "CylanceProtect logs" + } + ], + "elser_embedding": "CylanceProtect Logs - Collect logs from CylanceProtect devices with Elastic Agent. - CylanceProtect logs" + }, + { + "title": "Rapid7 InsightVM", + "id": "rapid7_insightvm", + "description": "Collect logs from Rapid7 InsightVM with Elastic Agent.", + "data_streams": [ + { + "dataset": "vulnerability", + "index_pattern": "logs-rapid7_insightvm.vulnerability-*", + "title": "Collect Vulnerability logs from Rapid7 InsightVM" + }, + { + "dataset": "asset", + "index_pattern": "logs-rapid7_insightvm.asset-*", + "title": "Collect Asset logs from Rapid7 InsightVM" + } + ], + "elser_embedding": "Rapid7 InsightVM - Collect logs from Rapid7 InsightVM with Elastic Agent. - Collect Vulnerability logs from Rapid7 InsightVM Collect Asset logs from Rapid7 InsightVM" + }, + { + "title": "Symantec EDR Cloud", + "id": "symantec_edr_cloud", + "description": "Collect logs from Symantec EDR Cloud with Elastic Agent.", + "data_streams": [ + { + "dataset": "incident", + "index_pattern": "logs-symantec_edr_cloud.incident-*", + "title": "Collect Incident logs from Symantec EDR Cloud" + } + ], + "elser_embedding": "Symantec EDR Cloud - Collect logs from Symantec EDR Cloud with Elastic Agent. - Collect Incident logs from Symantec EDR Cloud" + }, + { + "title": "Nginx Ingress Controller OpenTelemetry Logs", + "id": "nginx_ingress_controller_otel", + "description": "Collect Nginx Ingress Controller logs using the OpenTelemetry collector.", + "data_streams": [], + "elser_embedding": "Nginx Ingress Controller OpenTelemetry Logs - Collect Nginx Ingress Controller logs using the OpenTelemetry collector. - " + }, + { + "title": "OpenCTI", + "id": "ti_opencti", + "description": "Ingest threat intelligence indicators from OpenCTI with Elastic Agent.", + "data_streams": [ + { + "dataset": "indicator", + "index_pattern": "logs-ti_opencti.indicator-*", + "title": "Indicator" + } + ], + "elser_embedding": "OpenCTI - Ingest threat intelligence indicators from OpenCTI with Elastic Agent. - Indicator" + }, + { + "title": "Windows", + "id": "windows", + "description": "Collect logs and metrics from Windows OS and services with Elastic Agent.", + "data_streams": [ + { + "dataset": "applocker_packaged_app_deployment", + "index_pattern": "logs-windows.applocker_packaged_app_deployment-*", + "title": "Windows AppLocker/Packaged app-Deployment logs" + }, + { + "dataset": "applocker_msi_and_script", + "index_pattern": "logs-windows.applocker_msi_and_script-*", + "title": "Windows AppLocker/MSI and Script logs" + }, + { + "dataset": "powershell_operational", + "index_pattern": "logs-windows.powershell_operational-*", + "title": "Windows Powershell/Operational logs" + }, + { + "dataset": "perfmon", + "index_pattern": "logs-windows.perfmon-*", + "title": "Windows perfmon metrics" + }, + { + "dataset": "windows_defender", + "index_pattern": "logs-windows.windows_defender-*", + "title": "Windows Defender logs" + }, + { + "dataset": "sysmon_operational", + "index_pattern": "logs-windows.sysmon_operational-*", + "title": "Windows Sysmon/Operational events" + }, + { + "dataset": "service", + "index_pattern": "logs-windows.service-*", + "title": "Windows service metrics" + }, + { + "dataset": "forwarded", + "index_pattern": "logs-windows.forwarded-*", + "title": "Windows forwarded events" + }, + { + "dataset": "powershell", + "index_pattern": "logs-windows.powershell-*", + "title": "Windows Powershell logs" + }, + { + "dataset": "applocker_exe_and_dll", + "index_pattern": "logs-windows.applocker_exe_and_dll-*", + "title": "Windows AppLocker/EXE and DLL logs" + }, + { + "dataset": "applocker_packaged_app_execution", + "index_pattern": "logs-windows.applocker_packaged_app_execution-*", + "title": "Windows AppLocker/Packaged app-Execution logs" + } + ], + "elser_embedding": "Windows - Collect logs and metrics from Windows OS and services with Elastic Agent. - Windows AppLocker/Packaged app-Deployment logs Windows AppLocker/MSI and Script logs Windows Powershell/Operational logs Windows perfmon metrics Windows Defender logs Windows Sysmon/Operational events Windows service metrics Windows forwarded events Windows Powershell logs Windows AppLocker/EXE and DLL logs Windows AppLocker/Packaged app-Execution logs" + }, + { + "title": "CouchDB", + "id": "couchdb", + "description": "Collect metrics from CouchDB with Elastic Agent.", + "data_streams": [ + { + "dataset": "server", + "index_pattern": "logs-couchdb.server-*", + "title": "Server" + } + ], + "elser_embedding": "CouchDB - Collect metrics from CouchDB with Elastic Agent. - Server" + }, + { + "title": "Custom UDP Logs", + "id": "udp", + "description": "Collect raw UDP data from listening UDP port with Elastic Agent.", + "data_streams": [ + { + "dataset": "generic", + "index_pattern": "logs-udp.generic-*", + "title": "Custom UDP Logs" + } + ], + "elser_embedding": "Custom UDP Logs - Collect raw UDP data from listening UDP port with Elastic Agent. - Custom UDP Logs" + }, + { + "title": "Cassandra", + "id": "cassandra", + "description": "This Elastic integration collects logs and metrics from cassandra.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cassandra.log-*", + "title": "Cassandra System Logs" + }, + { + "dataset": "metrics", + "index_pattern": "logs-cassandra.metrics-*", + "title": "Metrics" + } + ], + "elser_embedding": "Cassandra - This Elastic integration collects logs and metrics from cassandra. - Cassandra System Logs Metrics" + }, + { + "title": "Gigamon", + "id": "gigamon", + "description": "Collect logs from Gigamon with Elastic Agent.", + "data_streams": [ + { + "dataset": "ami", + "index_pattern": "logs-gigamon.ami-*", + "title": "Gigamon Application Metadata Intelligence (AMI) Logs" + } + ], + "elser_embedding": "Gigamon - Collect logs from Gigamon with Elastic Agent. - Gigamon Application Metadata Intelligence (AMI) Logs" + }, + { + "title": "Hashicorp Vault", + "id": "hashicorp_vault", + "description": "Collect logs and metrics from Hashicorp Vault with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-hashicorp_vault.audit-*", + "title": "Hashicorp Vault Audit Logs" + }, + { + "dataset": "log", + "index_pattern": "logs-hashicorp_vault.log-*", + "title": "Hashicorp Vault Operational Logs" + }, + { + "dataset": "metrics", + "index_pattern": "logs-hashicorp_vault.metrics-*", + "title": "Hashicorp Vault Metrics" + } + ], + "elser_embedding": "Hashicorp Vault - Collect logs and metrics from Hashicorp Vault with Elastic Agent. - Hashicorp Vault Audit Logs Hashicorp Vault Operational Logs Hashicorp Vault Metrics" + }, + { + "title": "Okta", + "id": "okta", + "description": "Collect and parse event logs from Okta API with Elastic Agent.", + "data_streams": [ + { + "dataset": "system", + "index_pattern": "logs-okta.system-*", + "title": "Okta system logs" + } + ], + "elser_embedding": "Okta - Collect and parse event logs from Okta API with Elastic Agent. - Okta system logs" + }, + { + "title": "Recorded Future", + "id": "ti_recordedfuture", + "description": "Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent.", + "data_streams": [ + { + "dataset": "threat", + "index_pattern": "logs-ti_recordedfuture.threat-*", + "title": "Recorded Future" + } + ], + "elser_embedding": "Recorded Future - Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. - Recorded Future" + }, + { + "title": "IIS", + "id": "iis", + "description": "Collect logs and metrics from Internet Information Services (IIS) servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "access", + "index_pattern": "logs-iis.access-*", + "title": "IIS access logs" + }, + { + "dataset": "webserver", + "index_pattern": "logs-iis.webserver-*", + "title": "IIS web server metrics" + }, + { + "dataset": "error", + "index_pattern": "logs-iis.error-*", + "title": "IIS error logs" + }, + { + "dataset": "website", + "index_pattern": "logs-iis.website-*", + "title": "IIS website metrics" + }, + { + "dataset": "application_pool", + "index_pattern": "logs-iis.application_pool-*", + "title": "IIS application_pool metrics" + } + ], + "elser_embedding": "IIS - Collect logs and metrics from Internet Information Services (IIS) servers with Elastic Agent. - IIS access logs IIS web server metrics IIS error logs IIS website metrics IIS application_pool metrics" + }, + { + "title": "Golang", + "id": "golang", + "description": "This Elastic integration collects metrics from Golang applications.", + "data_streams": [ + { + "dataset": "heap", + "index_pattern": "logs-golang.heap-*", + "title": "Golang Heap metrics" + }, + { + "dataset": "expvar", + "index_pattern": "logs-golang.expvar-*", + "title": "Golang expvar metrics" + } + ], + "elser_embedding": "Golang - This Elastic integration collects metrics from Golang applications. - Golang Heap metrics Golang expvar metrics" + }, + { + "title": "MongoDB", + "id": "mongodb", + "description": "Collect logs and metrics from MongoDB instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "replstatus", + "index_pattern": "logs-mongodb.replstatus-*", + "title": "MongoDB replstatus metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-mongodb.log-*", + "title": "mongodb log logs" + }, + { + "dataset": "metrics", + "index_pattern": "logs-mongodb.metrics-*", + "title": "MongoDB metrics" + }, + { + "dataset": "status", + "index_pattern": "logs-mongodb.status-*", + "title": "MongoDB status metrics" + }, + { + "dataset": "dbstats", + "index_pattern": "logs-mongodb.dbstats-*", + "title": "MongoDB dbstats metrics" + }, + { + "dataset": "collstats", + "index_pattern": "logs-mongodb.collstats-*", + "title": "MongoDB collstats metrics" + } + ], + "elser_embedding": "MongoDB - Collect logs and metrics from MongoDB instances with Elastic Agent. - MongoDB replstatus metrics mongodb log logs MongoDB metrics MongoDB status metrics MongoDB dbstats metrics MongoDB collstats metrics" + }, + { + "title": "Sublime Security", + "id": "sublime_security", + "description": "Collect logs from Sublime Security with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-sublime_security.audit-*", + "title": "Sublime Security Audit logs" + }, + { + "dataset": "email_message", + "index_pattern": "logs-sublime_security.email_message-*", + "title": "Sublime Security Email Message logs" + }, + { + "dataset": "message_event", + "index_pattern": "logs-sublime_security.message_event-*", + "title": "Sublime Security Message Event logs" + } + ], + "elser_embedding": "Sublime Security - Collect logs from Sublime Security with Elastic Agent. - Sublime Security Audit logs Sublime Security Email Message logs Sublime Security Message Event logs" + }, + { + "title": "Nginx", + "id": "nginx", + "description": "Collect logs and metrics from Nginx HTTP servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "access", + "index_pattern": "logs-nginx.access-*", + "title": "Nginx access logs" + }, + { + "dataset": "error", + "index_pattern": "logs-nginx.error-*", + "title": "Nginx error logs" + }, + { + "dataset": "stubstatus", + "index_pattern": "logs-nginx.stubstatus-*", + "title": "Nginx stubstatus metrics" + } + ], + "elser_embedding": "Nginx - Collect logs and metrics from Nginx HTTP servers with Elastic Agent. - Nginx access logs Nginx error logs Nginx stubstatus metrics" + }, + { + "title": "Apache Spark", + "id": "apache_spark", + "description": "Collect metrics from Apache Spark with Elastic Agent.", + "data_streams": [ + { + "dataset": "driver", + "index_pattern": "logs-apache_spark.driver-*", + "title": "Apache Spark driver metrics" + }, + { + "dataset": "application", + "index_pattern": "logs-apache_spark.application-*", + "title": "Apache Spark application metrics" + }, + { + "dataset": "node", + "index_pattern": "logs-apache_spark.node-*", + "title": "Apache Spark node metrics" + }, + { + "dataset": "executor", + "index_pattern": "logs-apache_spark.executor-*", + "title": "Apache Spark executor metrics" + } + ], + "elser_embedding": "Apache Spark - Collect metrics from Apache Spark with Elastic Agent. - Apache Spark driver metrics Apache Spark application metrics Apache Spark node metrics Apache Spark executor metrics" + }, + { + "title": "Rapid7 Threat Command", + "id": "ti_rapid7_threat_command", + "description": "Collect threat intelligence from Threat Command API with Elastic Agent.", + "data_streams": [ + { + "dataset": "ioc", + "index_pattern": "logs-ti_rapid7_threat_command.ioc-*", + "title": "Rapid7 Threat Command IOCs" + }, + { + "dataset": "vulnerability", + "index_pattern": "logs-ti_rapid7_threat_command.vulnerability-*", + "title": "Rapid7 Threat Command Vulnerability" + }, + { + "dataset": "alert", + "index_pattern": "logs-ti_rapid7_threat_command.alert-*", + "title": "Rapid7 Threat Command Alerts" + } + ], + "elser_embedding": "Rapid7 Threat Command - Collect threat intelligence from Threat Command API with Elastic Agent. - Rapid7 Threat Command IOCs Rapid7 Threat Command Vulnerability Rapid7 Threat Command Alerts" + }, + { + "title": "Fortinet FortiEDR Logs", + "id": "fortinet_fortiedr", + "description": "Collect logs from Fortinet FortiEDR instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-fortinet_fortiedr.log-*", + "title": "Fortinet FortEDR Endpoint Detection and Response logs" + } + ], + "elser_embedding": "Fortinet FortiEDR Logs - Collect logs from Fortinet FortiEDR instances with Elastic Agent. - Fortinet FortEDR Endpoint Detection and Response logs" + }, + { + "title": "ThreatQuotient", + "id": "ti_threatq", + "description": "Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent.", + "data_streams": [ + { + "dataset": "threat", + "index_pattern": "logs-ti_threatq.threat-*", + "title": "ThreatQ" + } + ], + "elser_embedding": "ThreatQuotient - Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent. - ThreatQ" + }, + { + "title": "BBOT (Bighuge BLS OSINT Tool)", + "id": "bbot", + "description": "BBOT is a recursive internet scanner inspired by Spiderfoot, but designed to be faster, more reliable, and friendlier to pentesters, bug bounty hunters, and developers. ", + "data_streams": [ + { + "dataset": "asm_intel", + "index_pattern": "logs-bbot.asm_intel-*", + "title": "BBOT-Data-Ingest" + } + ], + "elser_embedding": "BBOT (Bighuge BLS OSINT Tool) - BBOT is a recursive internet scanner inspired by Spiderfoot, but designed to be faster, more reliable, and friendlier to pentesters, bug bounty hunters, and developers. - BBOT-Data-Ingest" + }, + { + "title": "Microsoft SQL Server", + "id": "microsoft_sqlserver", + "description": "Collect events from Microsoft SQL Server with Elastic Agent", + "data_streams": [ + { + "dataset": "performance", + "index_pattern": "logs-microsoft_sqlserver.performance-*", + "title": "Microsoft SQL Server performance metrics" + }, + { + "dataset": "audit", + "index_pattern": "logs-microsoft_sqlserver.audit-*", + "title": "SQL Server audit events" + }, + { + "dataset": "log", + "index_pattern": "logs-microsoft_sqlserver.log-*", + "title": "Microsoft SQL Server error logs" + }, + { + "dataset": "transaction_log", + "index_pattern": "logs-microsoft_sqlserver.transaction_log-*", + "title": "Microsoft SQL Server transaction_log metrics" + } + ], + "elser_embedding": "Microsoft SQL Server - Collect events from Microsoft SQL Server with Elastic Agent - Microsoft SQL Server performance metrics SQL Server audit events Microsoft SQL Server error logs Microsoft SQL Server transaction_log metrics" + }, + { + "title": "Claroty CTD", + "id": "claroty_ctd", + "description": "Collect logs from Claroty CTD using Elastic Agent.", + "data_streams": [ + { + "dataset": "baseline", + "index_pattern": "logs-claroty_ctd.baseline-*", + "title": "Baseline logs" + }, + { + "dataset": "event", + "index_pattern": "logs-claroty_ctd.event-*", + "title": "Event logs" + }, + { + "dataset": "asset", + "index_pattern": "logs-claroty_ctd.asset-*", + "title": "Asset logs" + } + ], + "elser_embedding": "Claroty CTD - Collect logs from Claroty CTD using Elastic Agent. - Baseline logs Event logs Asset logs" + }, + { + "title": "ZeroFox", + "id": "zerofox", + "description": "Collect logs from ZeroFox with Elastic Agent.", + "data_streams": [ + { + "dataset": "alerts", + "index_pattern": "logs-zerofox.alerts-*", + "title": "Alerts" + } + ], + "elser_embedding": "ZeroFox - Collect logs from ZeroFox with Elastic Agent. - Alerts" + }, + { + "title": "Darktrace", + "id": "darktrace", + "description": "Collect logs from Darktrace with Elastic Agent.", + "data_streams": [ + { + "dataset": "system_status_alert", + "index_pattern": "logs-darktrace.system_status_alert-*", + "title": "Collect System Status Alert logs from Darktrace" + }, + { + "dataset": "model_breach_alert", + "index_pattern": "logs-darktrace.model_breach_alert-*", + "title": "Collect Model Breach Alert logs from Darktrace" + }, + { + "dataset": "ai_analyst_alert", + "index_pattern": "logs-darktrace.ai_analyst_alert-*", + "title": "Collect AI Analyst Alert logs from Darktrace" + } + ], + "elser_embedding": "Darktrace - Collect logs from Darktrace with Elastic Agent. - Collect System Status Alert logs from Darktrace Collect Model Breach Alert logs from Darktrace Collect AI Analyst Alert logs from Darktrace" + }, + { + "title": "Cybersixgill", + "id": "ti_cybersixgill", + "description": "Ingest threat intelligence indicators from Cybersixgill with Elastic Agent.", + "data_streams": [ + { + "dataset": "threat", + "index_pattern": "logs-ti_cybersixgill.threat-*", + "title": "Cybersixgill Darkfeed Logs" + } + ], + "elser_embedding": "Cybersixgill - Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. - Cybersixgill Darkfeed Logs" + }, + { + "title": "Trend Micro Vision One", + "id": "trend_micro_vision_one", + "description": "Collect logs from Trend Micro Vision One with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-trend_micro_vision_one.audit-*", + "title": "Collect Audit logs from Trend Micro Vision One." + }, + { + "dataset": "alert", + "index_pattern": "logs-trend_micro_vision_one.alert-*", + "title": "Collect Alert logs from Trend Micro Vision One." + }, + { + "dataset": "detection", + "index_pattern": "logs-trend_micro_vision_one.detection-*", + "title": "Collect Detection logs from Trend Micro Vision One." + } + ], + "elser_embedding": "Trend Micro Vision One - Collect logs from Trend Micro Vision One with Elastic Agent. - Collect Audit logs from Trend Micro Vision One. Collect Alert logs from Trend Micro Vision One. Collect Detection logs from Trend Micro Vision One." + }, + { + "title": "Traefik", + "id": "traefik", + "description": "Collect logs from Traefik servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "access", + "index_pattern": "logs-traefik.access-*", + "title": "Traefik access logs" + }, + { + "dataset": "health", + "index_pattern": "logs-traefik.health-*", + "title": "Traefik health metrics" + } + ], + "elser_embedding": "Traefik - Collect logs from Traefik servers with Elastic Agent. - Traefik access logs Traefik health metrics" + }, + { + "title": "F5 BIG-IP", + "id": "f5_bigip", + "description": "Collect logs from F5 BIG-IP with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-f5_bigip.log-*", + "title": "Collect logs from F5 BIG-IP" + } + ], + "elser_embedding": "F5 BIG-IP - Collect logs from F5 BIG-IP with Elastic Agent. - Collect logs from F5 BIG-IP" + }, + { + "title": "Custom Kafka Logs", + "id": "kafka_log", + "description": "Collect data from kafka topic with Elastic Agent.", + "data_streams": [ + { + "dataset": "generic", + "index_pattern": "logs-kafka_log.generic-*", + "title": "Custom Kafka Logs" + } + ], + "elser_embedding": "Custom Kafka Logs - Collect data from kafka topic with Elastic Agent. - Custom Kafka Logs" + }, + { + "title": "CyberArk Privileged Access Security", + "id": "cyberarkpas", + "description": "Collect logs from CyberArk Privileged Access Security with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-cyberarkpas.audit-*", + "title": "CyberArk PAS audit logs" + }, + { + "dataset": "monitor", + "index_pattern": "logs-cyberarkpas.monitor-*", + "title": "CyberArk PAS monitor Events" + } + ], + "elser_embedding": "CyberArk Privileged Access Security - Collect logs from CyberArk Privileged Access Security with Elastic Agent. - CyberArk PAS audit logs CyberArk PAS monitor Events" + }, + { + "title": "Palo Alto Prisma Cloud", + "id": "prisma_cloud", + "description": "Collect logs from Prisma Cloud with Elastic Agent.", + "data_streams": [ + { + "dataset": "host_profile", + "index_pattern": "logs-prisma_cloud.host_profile-*", + "title": "Collect Host Profile logs from Prisma Cloud Workload Protection." + }, + { + "dataset": "host", + "index_pattern": "logs-prisma_cloud.host-*", + "title": "Collect Host logs from Prisma Cloud Workload Protection." + }, + { + "dataset": "audit", + "index_pattern": "logs-prisma_cloud.audit-*", + "title": "Collect Audit logs from Prisma Cloud Security Posture Management." + }, + { + "dataset": "alert", + "index_pattern": "logs-prisma_cloud.alert-*", + "title": "Collect Alert logs from Prisma Cloud Security Posture Management." + }, + { + "dataset": "incident_audit", + "index_pattern": "logs-prisma_cloud.incident_audit-*", + "title": "Collect Incident Audit logs from Prisma Cloud Workload Protection." + } + ], + "elser_embedding": "Palo Alto Prisma Cloud - Collect logs from Prisma Cloud with Elastic Agent. - Collect Host Profile logs from Prisma Cloud Workload Protection. Collect Host logs from Prisma Cloud Workload Protection. Collect Audit logs from Prisma Cloud Security Posture Management. Collect Alert logs from Prisma Cloud Security Posture Management. Collect Incident Audit logs from Prisma Cloud Workload Protection." + }, + { + "title": "Cilium Tetragon", + "id": "cilium_tetragon", + "description": "Collect Cilium Tetragon logs from Kubernetes environments.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cilium_tetragon.log-*", + "title": "log\n" + } + ], + "elser_embedding": "Cilium Tetragon - Collect Cilium Tetragon logs from Kubernetes environments. - log\n" + }, + { + "title": "Qualys VMDR", + "id": "qualys_vmdr", + "description": "Collect data from Qualys VMDR platform with Elastic Agent.", + "data_streams": [ + { + "dataset": "knowledge_base", + "index_pattern": "logs-qualys_vmdr.knowledge_base-*", + "title": "Collect Knowledge Base data from Qualys VMDR platform." + }, + { + "dataset": "user_activity", + "index_pattern": "logs-qualys_vmdr.user_activity-*", + "title": "Collect User Activity Log data from Qualys VMDR platform." + }, + { + "dataset": "asset_host_detection", + "index_pattern": "logs-qualys_vmdr.asset_host_detection-*", + "title": "Collect Asset Host Detection data from Qualys VMDR platform." + } + ], + "elser_embedding": "Qualys VMDR - Collect data from Qualys VMDR platform with Elastic Agent. - Collect Knowledge Base data from Qualys VMDR platform. Collect User Activity Log data from Qualys VMDR platform. Collect Asset Host Detection data from Qualys VMDR platform." + }, + { + "title": "Elastic Agent", + "id": "elastic_agent", + "description": "Collect logs and metrics from Elastic Agents.", + "data_streams": [ + { + "dataset": "fleet_server_logs", + "index_pattern": "logs-elastic_agent.fleet_server_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "endpoint_security_metrics", + "index_pattern": "logs-elastic_agent.endpoint_security_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "apm_server_logs", + "index_pattern": "logs-elastic_agent.apm_server_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "osquerybeat_logs", + "index_pattern": "logs-elastic_agent.osquerybeat_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "heartbeat_logs", + "index_pattern": "logs-elastic_agent.heartbeat_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "metricbeat_logs", + "index_pattern": "logs-elastic_agent.metricbeat_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "elastic_agent_metrics", + "index_pattern": "logs-elastic_agent.elastic_agent_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "auditbeat_metrics", + "index_pattern": "logs-elastic_agent.auditbeat_metrics-*", + "title": "Elastic Agent Auditbeat Metrics" + }, + { + "dataset": "pf_elastic_symbolizer", + "index_pattern": "logs-elastic_agent.pf_elastic_symbolizer-*", + "title": "Elastic Agent" + }, + { + "dataset": "cloud_defend_logs", + "index_pattern": "logs-elastic_agent.cloud_defend_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "endpoint_sercurity_logs", + "index_pattern": "logs-elastic_agent.endpoint_sercurity_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "filebeat_input_metrics", + "index_pattern": "logs-elastic_agent.filebeat_input_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "metricbeat_metrics", + "index_pattern": "logs-elastic_agent.metricbeat_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "packetbeat_metrics", + "index_pattern": "logs-elastic_agent.packetbeat_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "apm_server_metrics", + "index_pattern": "logs-elastic_agent.apm_server_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "filebeat_input_logs", + "index_pattern": "logs-elastic_agent.filebeat_input_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "elastic_agent_logs", + "index_pattern": "logs-elastic_agent.elastic_agent_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "auditbeat_logs", + "index_pattern": "logs-elastic_agent.auditbeat_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "filebeat_logs", + "index_pattern": "logs-elastic_agent.filebeat_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "pf_host_agent_logs", + "index_pattern": "logs-elastic_agent.pf_host_agent_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "cloudbeat_logs", + "index_pattern": "logs-elastic_agent.cloudbeat_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "heartbeat_metrics", + "index_pattern": "logs-elastic_agent.heartbeat_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "cloudbeat_metrics", + "index_pattern": "logs-elastic_agent.cloudbeat_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "fleet_server_metrics", + "index_pattern": "logs-elastic_agent.fleet_server_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "packetbeat_logs", + "index_pattern": "logs-elastic_agent.packetbeat_logs-*", + "title": "Elastic Agent" + }, + { + "dataset": "osquerybeat_metrics", + "index_pattern": "logs-elastic_agent.osquerybeat_metrics-*", + "title": "Elastic Agent" + }, + { + "dataset": "pf_elastic_collector", + "index_pattern": "logs-elastic_agent.pf_elastic_collector-*", + "title": "Elastic Agent" + }, + { + "dataset": "filebeat_metrics", + "index_pattern": "logs-elastic_agent.filebeat_metrics-*", + "title": "Elastic Agent" + } + ], + "elser_embedding": "Elastic Agent - Collect logs and metrics from Elastic Agents. - Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Auditbeat Metrics Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent Elastic Agent" + }, + { + "title": "Custom Filestream Logs", + "id": "filestream", + "description": "Collect log data using filestream with Elastic Agent.", + "data_streams": [ + { + "dataset": "generic", + "index_pattern": "logs-filestream.generic-*", + "title": "Custom Filestream Logs" + } + ], + "elser_embedding": "Custom Filestream Logs - Collect log data using filestream with Elastic Agent. - Custom Filestream Logs" + }, + { + "title": "OpenCanary", + "id": "opencanary", + "description": "This integration collects and parses logs from OpenCanary honeypots.", + "data_streams": [ + { + "dataset": "events", + "index_pattern": "logs-opencanary.events-*", + "title": "OpenCanary HoneyPot Events" + } + ], + "elser_embedding": "OpenCanary - This integration collects and parses logs from OpenCanary honeypots. - OpenCanary HoneyPot Events" + }, + { + "title": "Palo Alto Cortex XDR", + "id": "panw_cortex_xdr", + "description": "Collect logs from Palo Alto Cortex XDR with Elastic Agent.", + "data_streams": [ + { + "dataset": "incidents", + "index_pattern": "logs-panw_cortex_xdr.incidents-*", + "title": "Palo Alto Cortex XDR Incidents API" + }, + { + "dataset": "alerts", + "index_pattern": "logs-panw_cortex_xdr.alerts-*", + "title": "Palo Alto Cortex XDR Alerts API" + } + ], + "elser_embedding": "Palo Alto Cortex XDR - Collect logs from Palo Alto Cortex XDR with Elastic Agent. - Palo Alto Cortex XDR Incidents API Palo Alto Cortex XDR Alerts API" + }, + { + "title": "Cisco Nexus", + "id": "cisco_nexus", + "description": "Collect logs from Cisco Nexus with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_nexus.log-*", + "title": "Collect logs from Cisco Nexus" + } + ], + "elser_embedding": "Cisco Nexus - Collect logs from Cisco Nexus with Elastic Agent. - Collect logs from Cisco Nexus" + }, + { + "title": "JumpCloud", + "id": "jumpcloud", + "description": "Collect logs from JumpCloud Directory as a Service", + "data_streams": [ + { + "dataset": "events", + "index_pattern": "logs-jumpcloud.events-*", + "title": "JumpCloud Directory as a Service Events" + } + ], + "elser_embedding": "JumpCloud - Collect logs from JumpCloud Directory as a Service - JumpCloud Directory as a Service Events" + }, + { + "title": "Microsoft Defender for Endpoint", + "id": "microsoft_defender_endpoint", + "description": "Collect logs from Microsoft Defender for Endpoint with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-microsoft_defender_endpoint.log-*", + "title": "Microsoft Defender for Endpoint logs" + } + ], + "elser_embedding": "Microsoft Defender for Endpoint - Collect logs from Microsoft Defender for Endpoint with Elastic Agent. - Microsoft Defender for Endpoint logs" + }, + { + "title": "ActiveMQ", + "id": "activemq", + "description": "Collect logs and metrics from ActiveMQ instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "broker", + "index_pattern": "logs-activemq.broker-*", + "title": "ActiveMQ broker metrics" + }, + { + "dataset": "queue", + "index_pattern": "logs-activemq.queue-*", + "title": "ActiveMQ queue metrics" + }, + { + "dataset": "audit", + "index_pattern": "logs-activemq.audit-*", + "title": "ActiveMQ audit logs" + }, + { + "dataset": "log", + "index_pattern": "logs-activemq.log-*", + "title": "ActiveMQ log logs" + }, + { + "dataset": "topic", + "index_pattern": "logs-activemq.topic-*", + "title": "ActiveMQ topic metrics" + } + ], + "elser_embedding": "ActiveMQ - Collect logs and metrics from ActiveMQ instances with Elastic Agent. - ActiveMQ broker metrics ActiveMQ queue metrics ActiveMQ audit logs ActiveMQ log logs ActiveMQ topic metrics" + }, + { + "title": "AbuseCH", + "id": "ti_abusech", + "description": "Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent.", + "data_streams": [ + { + "dataset": "threatfox", + "index_pattern": "logs-ti_abusech.threatfox-*", + "title": "AbuseCH Threat Fox indicators" + }, + { + "dataset": "url", + "index_pattern": "logs-ti_abusech.url-*", + "title": "AbuseCH URL logs" + }, + { + "dataset": "malware", + "index_pattern": "logs-ti_abusech.malware-*", + "title": "AbuseCH Malware payloads" + }, + { + "dataset": "malwarebazaar", + "index_pattern": "logs-ti_abusech.malwarebazaar-*", + "title": "AbuseCH MalwareBazaar payloads" + } + ], + "elser_embedding": "AbuseCH - Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. - AbuseCH Threat Fox indicators AbuseCH URL logs AbuseCH Malware payloads AbuseCH MalwareBazaar payloads" + }, + { + "title": "Infoblox BloxOne DDI", + "id": "infoblox_bloxone_ddi", + "description": "Collect logs from Infoblox BloxOne DDI with Elastic Agent.", + "data_streams": [ + { + "dataset": "dns_data", + "index_pattern": "logs-infoblox_bloxone_ddi.dns_data-*", + "title": "Collect DNS Data logs from Infoblox BloxOne DDI" + }, + { + "dataset": "dns_config", + "index_pattern": "logs-infoblox_bloxone_ddi.dns_config-*", + "title": "Collect DNS Config logs from Infoblox BloxOne DDI" + }, + { + "dataset": "dhcp_lease", + "index_pattern": "logs-infoblox_bloxone_ddi.dhcp_lease-*", + "title": "Collect DHCP Lease logs from Infoblox BloxOne DDI" + } + ], + "elser_embedding": "Infoblox BloxOne DDI - Collect logs from Infoblox BloxOne DDI with Elastic Agent. - Collect DNS Data logs from Infoblox BloxOne DDI Collect DNS Config logs from Infoblox BloxOne DDI Collect DHCP Lease logs from Infoblox BloxOne DDI" + }, + { + "title": "Google Security Command Center", + "id": "google_scc", + "description": "Collect logs from Google Security Command Center with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-google_scc.audit-*", + "title": "Collect Audit logs from Google Security Command Center." + }, + { + "dataset": "finding", + "index_pattern": "logs-google_scc.finding-*", + "title": "Collect Finding logs from Google Security Command Center." + }, + { + "dataset": "asset", + "index_pattern": "logs-google_scc.asset-*", + "title": "Collect Asset logs from Google Security Command Center." + }, + { + "dataset": "source", + "index_pattern": "logs-google_scc.source-*", + "title": "Collect Source logs from Google Security Command Center." + } + ], + "elser_embedding": "Google Security Command Center - Collect logs from Google Security Command Center with Elastic Agent. - Collect Audit logs from Google Security Command Center. Collect Finding logs from Google Security Command Center. Collect Asset logs from Google Security Command Center. Collect Source logs from Google Security Command Center." + }, + { + "title": "CoreDNS", + "id": "coredns", + "description": "Collect logs from CoreDNS instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-coredns.log-*", + "title": "CoreDNS logs" + } + ], + "elser_embedding": "CoreDNS - Collect logs from CoreDNS instances with Elastic Agent. - CoreDNS logs" + }, + { + "title": "NetFlow Records", + "id": "netflow", + "description": "Collect flow records from NetFlow and IPFIX exporters with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-netflow.log-*", + "title": "NetFlow logs" + } + ], + "elser_embedding": "NetFlow Records - Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. - NetFlow logs" + }, + { + "title": "Forcepoint Web Security", + "id": "forcepoint_web", + "description": "Forcepoint Web Security", + "data_streams": [ + { + "dataset": "logs", + "index_pattern": "logs-forcepoint_web.logs-*", + "title": "Forcepoint Web Security Logs" + } + ], + "elser_embedding": "Forcepoint Web Security - Forcepoint Web Security - Forcepoint Web Security Logs" + }, + { + "title": "Trellix EDR Cloud", + "id": "trellix_edr_cloud", + "description": "Collect logs from Trellix EDR Cloud with Elastic Agent.", + "data_streams": [ + { + "dataset": "event", + "index_pattern": "logs-trellix_edr_cloud.event-*", + "title": "Collect Event logs from Trellix EDR Cloud." + } + ], + "elser_embedding": "Trellix EDR Cloud - Collect logs from Trellix EDR Cloud with Elastic Agent. - Collect Event logs from Trellix EDR Cloud." + }, + { + "title": "Slack Logs", + "id": "slack", + "description": "Slack Logs Integration", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-slack.audit-*", + "title": "Slack Audit Logs" + } + ], + "elser_embedding": "Slack Logs - Slack Logs Integration - Slack Audit Logs" + }, + { + "title": "Cisco FTD", + "id": "cisco_ftd", + "description": "Collect logs from Cisco FTD with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_ftd.log-*", + "title": "Cisco FTD logs" + } + ], + "elser_embedding": "Cisco FTD - Collect logs from Cisco FTD with Elastic Agent. - Cisco FTD logs" + }, + { + "title": "Microsoft DNS Server", + "id": "microsoft_dnsserver", + "description": "Collect logs from Microsoft DNS Server with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-microsoft_dnsserver.audit-*", + "title": "Collect DNS Server Audit logs" + }, + { + "dataset": "analytical", + "index_pattern": "logs-microsoft_dnsserver.analytical-*", + "title": "Collect DNS Server Analytical logs" + } + ], + "elser_embedding": "Microsoft DNS Server - Collect logs from Microsoft DNS Server with Elastic Agent. - Collect DNS Server Audit logs Collect DNS Server Analytical logs" + }, + { + "title": "Mandiant Advantage", + "id": "ti_mandiant_advantage", + "description": "Collect Threat Intelligence from products within the Mandiant Advantage platform.", + "data_streams": [ + { + "dataset": "threat_intelligence", + "index_pattern": "logs-ti_mandiant_advantage.threat_intelligence-*", + "title": "Mandiant Threat Intelligence" + } + ], + "elser_embedding": "Mandiant Advantage - Collect Threat Intelligence from products within the Mandiant Advantage platform. - Mandiant Threat Intelligence" + }, + { + "title": "Fortinet FortiClient Logs", + "id": "fortinet_forticlient", + "description": "Collect logs from Fortinet FortiClient instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-fortinet_forticlient.log-*", + "title": "Fortinet FortiClient Endpoint Security logs" + } + ], + "elser_embedding": "Fortinet FortiClient Logs - Collect logs from Fortinet FortiClient instances with Elastic Agent. - Fortinet FortiClient Endpoint Security logs" + }, + { + "title": "AWS Fargate (for ECS clusters)", + "id": "awsfargate", + "description": "Collects metrics from containers and tasks running on Amazon ECS clusters with Elastic Agent.", + "data_streams": [ + { + "dataset": "task_stats", + "index_pattern": "logs-awsfargate.task_stats-*", + "title": "AWS Fargate task_stats metrics" + } + ], + "elser_embedding": "AWS Fargate (for ECS clusters) - Collects metrics from containers and tasks running on Amazon ECS clusters with Elastic Agent. - AWS Fargate task_stats metrics" + }, + { + "title": "Azure Network Watcher VNet", + "id": "azure_network_watcher_vnet", + "description": "Collect logs from Azure Network Watcher VNet with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-azure_network_watcher_vnet.log-*", + "title": "Collect VNet logs from Azure Network Watcher" + } + ], + "elser_embedding": "Azure Network Watcher VNet - Collect logs from Azure Network Watcher VNet with Elastic Agent. - Collect VNet logs from Azure Network Watcher" + }, + { + "title": "Osquery Logs", + "id": "osquery", + "description": "Collect logs from Osquery with Elastic Agent.", + "data_streams": [ + { + "dataset": "result", + "index_pattern": "logs-osquery.result-*", + "title": "Osquery result logs" + } + ], + "elser_embedding": "Osquery Logs - Collect logs from Osquery with Elastic Agent. - Osquery result logs" + }, + { + "title": "Pleasant Password Server", + "id": "pps", + "description": "Integration for Pleasant Password Server Syslog Messages", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-pps.log-*", + "title": "Pleasant Password Server logs" + } + ], + "elser_embedding": "Pleasant Password Server - Integration for Pleasant Password Server Syslog Messages - Pleasant Password Server logs" + }, + { + "title": "Bravura Monitor", + "id": "hid_bravura_monitor", + "description": "Collect logs from Bravura Security Fabric with Elastic Agent.", + "data_streams": [ + { + "dataset": "winlog", + "index_pattern": "logs-hid_bravura_monitor.winlog-*", + "title": "Bravura Security Fabric logs" + }, + { + "dataset": "log", + "index_pattern": "logs-hid_bravura_monitor.log-*", + "title": "Bravura Monitor" + } + ], + "elser_embedding": "Bravura Monitor - Collect logs from Bravura Security Fabric with Elastic Agent. - Bravura Security Fabric logs Bravura Monitor" + }, + { + "title": "MISP", + "id": "ti_misp", + "description": "Ingest threat intelligence indicators from MISP platform with Elastic Agent.", + "data_streams": [ + { + "dataset": "threat", + "index_pattern": "logs-ti_misp.threat-*", + "title": "MISP" + }, + { + "dataset": "threat_attributes", + "index_pattern": "logs-ti_misp.threat_attributes-*", + "title": "MISP" + } + ], + "elser_embedding": "MISP - Ingest threat intelligence indicators from MISP platform with Elastic Agent. - MISP MISP" + }, + { + "title": "Redis Enterprise", + "id": "redisenterprise", + "description": "Collect metrics from Redis Enterprise Cluster", + "data_streams": [ + { + "dataset": "node", + "index_pattern": "logs-redisenterprise.node-*", + "title": "node" + }, + { + "dataset": "proxy", + "index_pattern": "logs-redisenterprise.proxy-*", + "title": "proxy" + } + ], + "elser_embedding": "Redis Enterprise - Collect metrics from Redis Enterprise Cluster - node proxy" + }, + { + "title": "Network Packet Capture", + "id": "network_traffic", + "description": "Capture and analyze network traffic from a host with Elastic Agent.", + "data_streams": [ + { + "dataset": "nfs", + "index_pattern": "logs-network_traffic.nfs-*", + "title": "NFS" + }, + { + "dataset": "tls", + "index_pattern": "logs-network_traffic.tls-*", + "title": "TLS" + }, + { + "dataset": "icmp", + "index_pattern": "logs-network_traffic.icmp-*", + "title": "ICMP" + }, + { + "dataset": "cassandra", + "index_pattern": "logs-network_traffic.cassandra-*", + "title": "Cassandra" + }, + { + "dataset": "mongodb", + "index_pattern": "logs-network_traffic.mongodb-*", + "title": "MongoDB" + }, + { + "dataset": "thrift", + "index_pattern": "logs-network_traffic.thrift-*", + "title": "Thrift" + }, + { + "dataset": "flow", + "index_pattern": "logs-network_traffic.flow-*", + "title": "Flows" + }, + { + "dataset": "dhcpv4", + "index_pattern": "logs-network_traffic.dhcpv4-*", + "title": "DHCP" + }, + { + "dataset": "pgsql", + "index_pattern": "logs-network_traffic.pgsql-*", + "title": "PostgreSQL" + }, + { + "dataset": "redis", + "index_pattern": "logs-network_traffic.redis-*", + "title": "Redis" + }, + { + "dataset": "dns", + "index_pattern": "logs-network_traffic.dns-*", + "title": "DNS" + }, + { + "dataset": "sip", + "index_pattern": "logs-network_traffic.sip-*", + "title": "SIP" + }, + { + "dataset": "mysql", + "index_pattern": "logs-network_traffic.mysql-*", + "title": "MySQL" + }, + { + "dataset": "amqp", + "index_pattern": "logs-network_traffic.amqp-*", + "title": "AMQP" + }, + { + "dataset": "http", + "index_pattern": "logs-network_traffic.http-*", + "title": "HTTP" + }, + { + "dataset": "memcached", + "index_pattern": "logs-network_traffic.memcached-*", + "title": "Memcached" + } + ], + "elser_embedding": "Network Packet Capture - Capture and analyze network traffic from a host with Elastic Agent. - NFS TLS ICMP Cassandra MongoDB Thrift Flows DHCP PostgreSQL Redis DNS SIP MySQL AMQP HTTP Memcached" + }, + { + "title": "MySQL Enterprise", + "id": "mysql_enterprise", + "description": "Collect audit logs from MySQL Enterprise with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-mysql_enterprise.audit-*", + "title": "MySQL Enterprise Audit Log" + } + ], + "elser_embedding": "MySQL Enterprise - Collect audit logs from MySQL Enterprise with Elastic Agent. - MySQL Enterprise Audit Log" + }, + { + "title": "GitHub", + "id": "github", + "description": "Collect logs from GitHub with Elastic Agent.", + "data_streams": [ + { + "dataset": "dependabot", + "index_pattern": "logs-github.dependabot-*", + "title": "GHAS Dependabot" + }, + { + "dataset": "issues", + "index_pattern": "logs-github.issues-*", + "title": "Github Issue" + }, + { + "dataset": "secret_scanning", + "index_pattern": "logs-github.secret_scanning-*", + "title": "GHAS Secret Scanning" + }, + { + "dataset": "audit", + "index_pattern": "logs-github.audit-*", + "title": "GitHub Audit Logs" + }, + { + "dataset": "code_scanning", + "index_pattern": "logs-github.code_scanning-*", + "title": "GHAS Code Scanning" + } + ], + "elser_embedding": "GitHub - Collect logs from GitHub with Elastic Agent. - GHAS Dependabot Github Issue GHAS Secret Scanning GitHub Audit Logs GHAS Code Scanning" + }, + { + "title": "Microsoft Entra ID Entity Analytics", + "id": "entityanalytics_entra_id", + "description": "Collect identities from Microsoft Entra ID (formerly Azure Active Directory) with Elastic Agent.", + "data_streams": [ + { + "dataset": "device", + "index_pattern": "logs-entityanalytics_entra_id.device-*", + "title": "Microsoft Entra ID Entity Analytics Device Events" + }, + { + "dataset": "user", + "index_pattern": "logs-entityanalytics_entra_id.user-*", + "title": "Microsoft Entra ID Entity Analytics User Events" + }, + { + "dataset": "entity", + "index_pattern": "logs-entityanalytics_entra_id.entity-*", + "title": "Identities" + } + ], + "elser_embedding": "Microsoft Entra ID Entity Analytics - Collect identities from Microsoft Entra ID (formerly Azure Active Directory) with Elastic Agent. - Microsoft Entra ID Entity Analytics Device Events Microsoft Entra ID Entity Analytics User Events Identities" + }, + { + "title": "ThreatConnect", + "id": "ti_threatconnect", + "description": "Collects Indicators from ThreatConnect using the Elastic Agent and saves them as logs inside Elastic", + "data_streams": [ + { + "dataset": "indicator", + "index_pattern": "logs-ti_threatconnect.indicator-*", + "title": "Collect Indicators from ThreatConnect." + } + ], + "elser_embedding": "ThreatConnect - Collects Indicators from ThreatConnect using the Elastic Agent and saves them as logs inside Elastic - Collect Indicators from ThreatConnect." + }, + { + "title": "Microsoft Sentinel", + "id": "microsoft_sentinel", + "description": "Collect logs from Microsoft Sentinel with Elastic Agent.", + "data_streams": [ + { + "dataset": "alert", + "index_pattern": "logs-microsoft_sentinel.alert-*", + "title": "Microsoft Sentinel Alert logs" + }, + { + "dataset": "incident", + "index_pattern": "logs-microsoft_sentinel.incident-*", + "title": "Microsoft Sentinel Incident logs" + }, + { + "dataset": "event", + "index_pattern": "logs-microsoft_sentinel.event-*", + "title": "Collect Events from Microsoft Sentinel." + } + ], + "elser_embedding": "Microsoft Sentinel - Collect logs from Microsoft Sentinel with Elastic Agent. - Microsoft Sentinel Alert logs Microsoft Sentinel Incident logs Collect Events from Microsoft Sentinel." + }, + { + "title": "Check Point", + "id": "checkpoint", + "description": "Collect logs from Check Point with Elastic Agent.", + "data_streams": [ + { + "dataset": "firewall", + "index_pattern": "logs-checkpoint.firewall-*", + "title": "Check Point firewall logs" + } + ], + "elser_embedding": "Check Point - Collect logs from Check Point with Elastic Agent. - Check Point firewall logs" + }, + { + "title": "WatchGuard Firebox", + "id": "watchguard_firebox", + "description": "Collect logs from WatchGuard Firebox with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-watchguard_firebox.log-*", + "title": "WatchGuard Firebox logs" + } + ], + "elser_embedding": "WatchGuard Firebox - Collect logs from WatchGuard Firebox with Elastic Agent. - WatchGuard Firebox logs" + }, + { + "title": "Nagios XI", + "id": "nagios_xi", + "description": "Collect Logs and Metrics from Nagios XI with Elastic Agent.", + "data_streams": [ + { + "dataset": "host", + "index_pattern": "logs-nagios_xi.host-*", + "title": "Host" + }, + { + "dataset": "events", + "index_pattern": "logs-nagios_xi.events-*", + "title": "Events" + }, + { + "dataset": "service", + "index_pattern": "logs-nagios_xi.service-*", + "title": "Service" + } + ], + "elser_embedding": "Nagios XI - Collect Logs and Metrics from Nagios XI with Elastic Agent. - Host Events Service" + }, + { + "title": "Atlassian Jira", + "id": "atlassian_jira", + "description": "Collect logs from Atlassian Jira with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-atlassian_jira.audit-*", + "title": "Jira Audit Logs" + } + ], + "elser_embedding": "Atlassian Jira - Collect logs from Atlassian Jira with Elastic Agent. - Jira Audit Logs" + }, + { + "title": "Snyk", + "id": "snyk", + "description": "Collect logs from Snyk with Elastic Agent.", + "data_streams": [ + { + "dataset": "issues", + "index_pattern": "logs-snyk.issues-*", + "title": "Collect Snyk Issues Data" + }, + { + "dataset": "audit", + "index_pattern": "logs-snyk.audit-*", + "title": "Collect Snyk Audit Logs" + }, + { + "dataset": "audit_logs", + "index_pattern": "logs-snyk.audit_logs-*", + "title": "Collect Snyk Audit Logs" + }, + { + "dataset": "vulnerabilities", + "index_pattern": "logs-snyk.vulnerabilities-*", + "title": "Collect Snyk Vulnerability Data" + } + ], + "elser_embedding": "Snyk - Collect logs from Snyk with Elastic Agent. - Collect Snyk Issues Data Collect Snyk Audit Logs Collect Snyk Audit Logs Collect Snyk Vulnerability Data" + }, + { + "title": "Google Cloud Platform", + "id": "gcp", + "description": "Collect logs and metrics from Google Cloud Platform with Elastic Agent.", + "data_streams": [ + { + "dataset": "compute", + "index_pattern": "logs-gcp.compute-*", + "title": "GCP Compute Metrics" + }, + { + "dataset": "pubsub", + "index_pattern": "logs-gcp.pubsub-*", + "title": "GCP PubSub Metrics" + }, + { + "dataset": "cloudsql_postgresql", + "index_pattern": "logs-gcp.cloudsql_postgresql-*", + "title": "GCP CloudSQL PostgreSQL Metrics" + }, + { + "dataset": "billing", + "index_pattern": "logs-gcp.billing-*", + "title": "GCP Billing Metrics" + }, + { + "dataset": "loadbalancing_metrics", + "index_pattern": "logs-gcp.loadbalancing_metrics-*", + "title": "GCP Load Balancing Metrics" + }, + { + "dataset": "cloudrun_metrics", + "index_pattern": "logs-gcp.cloudrun_metrics-*", + "title": "GCP Cloud Run Metrics" + }, + { + "dataset": "audit", + "index_pattern": "logs-gcp.audit-*", + "title": "Google Cloud Platform (GCP) audit logs" + }, + { + "dataset": "dataproc", + "index_pattern": "logs-gcp.dataproc-*", + "title": "GCP Dataproc Metrics" + }, + { + "dataset": "redis", + "index_pattern": "logs-gcp.redis-*", + "title": "GCP Redis Metrics" + }, + { + "dataset": "cloudsql_mysql", + "index_pattern": "logs-gcp.cloudsql_mysql-*", + "title": "GCP CloudSQL MySQL Metrics" + }, + { + "dataset": "dns", + "index_pattern": "logs-gcp.dns-*", + "title": "Google Cloud Platform (GCP) DNS logs" + }, + { + "dataset": "cloudsql_sqlserver", + "index_pattern": "logs-gcp.cloudsql_sqlserver-*", + "title": "GCP CloudSQL SQL Server Metrics" + }, + { + "dataset": "storage", + "index_pattern": "logs-gcp.storage-*", + "title": "GCP Storage Metrics" + }, + { + "dataset": "gke", + "index_pattern": "logs-gcp.gke-*", + "title": "GCP GKE Metrics" + }, + { + "dataset": "vpcflow", + "index_pattern": "logs-gcp.vpcflow-*", + "title": "Google Cloud Platform (GCP) vpcflow logs" + }, + { + "dataset": "loadbalancing_logs", + "index_pattern": "logs-gcp.loadbalancing_logs-*", + "title": "Google Cloud Platform (GCP) Load Balancing logs" + }, + { + "dataset": "firestore", + "index_pattern": "logs-gcp.firestore-*", + "title": "GCP Firestore Metrics" + }, + { + "dataset": "firewall", + "index_pattern": "logs-gcp.firewall-*", + "title": "Google Cloud Platform (GCP) firewall logs" + } + ], + "elser_embedding": "Google Cloud Platform - Collect logs and metrics from Google Cloud Platform with Elastic Agent. - GCP Compute Metrics GCP PubSub Metrics GCP CloudSQL PostgreSQL Metrics GCP Billing Metrics GCP Load Balancing Metrics GCP Cloud Run Metrics Google Cloud Platform (GCP) audit logs GCP Dataproc Metrics GCP Redis Metrics GCP CloudSQL MySQL Metrics Google Cloud Platform (GCP) DNS logs GCP CloudSQL SQL Server Metrics GCP Storage Metrics GCP GKE Metrics Google Cloud Platform (GCP) vpcflow logs Google Cloud Platform (GCP) Load Balancing logs GCP Firestore Metrics Google Cloud Platform (GCP) firewall logs" + }, + { + "title": "Logstash", + "id": "logstash", + "description": "Collect logs and metrics from Logstash with Elastic Agent.", + "data_streams": [ + { + "dataset": "node_cel", + "index_pattern": "logs-logstash.node_cel-*", + "title": "Logstash Node Stats" + }, + { + "dataset": "pipeline", + "index_pattern": "logs-logstash.pipeline-*", + "title": "Logstash pipeline" + }, + { + "dataset": "plugins", + "index_pattern": "logs-logstash.plugins-*", + "title": "Logstash plugins" + }, + { + "dataset": "node_stats", + "index_pattern": "logs-logstash.node_stats-*", + "title": "Logstash node_stats metrics" + }, + { + "dataset": "slowlog", + "index_pattern": "logs-logstash.slowlog-*", + "title": "logstash slowlog logs" + }, + { + "dataset": "log", + "index_pattern": "logs-logstash.log-*", + "title": "Logstash logs" + }, + { + "dataset": "node", + "index_pattern": "logs-logstash.node-*", + "title": "Logstash node metrics" + } + ], + "elser_embedding": "Logstash - Collect logs and metrics from Logstash with Elastic Agent. - Logstash Node Stats Logstash pipeline Logstash plugins Logstash node_stats metrics logstash slowlog logs Logstash logs Logstash node metrics" + }, + { + "title": "Palo Alto Prisma Access", + "id": "prisma_access", + "description": "Collect logs from Palo Alto Prisma Access with Elastic Agent.", + "data_streams": [ + { + "dataset": "event", + "index_pattern": "logs-prisma_access.event-*", + "title": "Collect Events from Palo Alto Prisma Access" + } + ], + "elser_embedding": "Palo Alto Prisma Access - Collect logs from Palo Alto Prisma Access with Elastic Agent. - Collect Events from Palo Alto Prisma Access" + }, + { + "title": "Barracuda CloudGen Firewall Logs", + "id": "barracuda_cloudgen_firewall", + "description": "Collect logs from Barracuda CloudGen Firewall devices with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-barracuda_cloudgen_firewall.log-*", + "title": "Barracuda CloudGen Firewall Logs" + } + ], + "elser_embedding": "Barracuda CloudGen Firewall Logs - Collect logs from Barracuda CloudGen Firewall devices with Elastic Agent. - Barracuda CloudGen Firewall Logs" + }, + { + "title": "Jamf Pro", + "id": "jamf_pro", + "description": "Collect logs and inventory data from Jamf Pro with Elastic Agent", + "data_streams": [ + { + "dataset": "inventory", + "index_pattern": "logs-jamf_pro.inventory-*", + "title": "Inventory data" + }, + { + "dataset": "events", + "index_pattern": "logs-jamf_pro.events-*", + "title": "Jamf Pro Events" + } + ], + "elser_embedding": "Jamf Pro - Collect logs and inventory data from Jamf Pro with Elastic Agent - Inventory data Jamf Pro Events" + }, + { + "title": "Fortinet FortiManager Logs", + "id": "fortinet_fortimanager", + "description": "Collect logs from Fortinet FortiManager instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-fortinet_fortimanager.log-*", + "title": "Collect logs from Fortinet FortiManager" + } + ], + "elser_embedding": "Fortinet FortiManager Logs - Collect logs from Fortinet FortiManager instances with Elastic Agent. - Collect logs from Fortinet FortiManager" + }, + { + "title": "Elastic APM", + "id": "apm", + "description": "Monitor, detect, and diagnose complex application performance issues.", + "data_streams": [], + "elser_embedding": "Elastic APM - Monitor, detect, and diagnose complex application performance issues. - " + }, + { + "title": "AlienVault OTX", + "id": "ti_otx", + "description": "Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent.", + "data_streams": [ + { + "dataset": "pulses_subscribed", + "index_pattern": "logs-ti_otx.pulses_subscribed-*", + "title": "Alienvault OTX Subcribed Pulses" + }, + { + "dataset": "threat", + "index_pattern": "logs-ti_otx.threat-*", + "title": "Alienvault OTX logs" + } + ], + "elser_embedding": "AlienVault OTX - Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent. - Alienvault OTX Subcribed Pulses Alienvault OTX logs" + }, + { + "title": "Check Point", + "id": "checkpoint", + "description": "Collect logs from Check Point with Elastic Agent.", + "data_streams": [ + { + "dataset": "firewall", + "index_pattern": "logs-checkpoint.firewall-*", + "title": "Check Point firewall logs" + } + ], + "elser_embedding": "Check Point - Collect logs from Check Point with Elastic Agent. - Check Point firewall logs" + }, + { + "title": "Kubernetes OpenTelemetry Assets", + "id": "kubernetes_otel", + "description": "Utilise the pre-built dashboard for OTel-native metrics and events collected from a Kubernetes cluster", + "data_streams": [], + "elser_embedding": "Kubernetes OpenTelemetry Assets - Utilise the pre-built dashboard for OTel-native metrics and events collected from a Kubernetes cluster - " + }, + { + "title": "EclecticIQ", + "id": "ti_eclecticiq", + "description": "Ingest threat intelligence from EclecticIQ with Elastic Agent", + "data_streams": [ + { + "dataset": "threat", + "index_pattern": "logs-ti_eclecticiq.threat-*", + "title": "Poll Outgoing feed" + } + ], + "elser_embedding": "EclecticIQ - Ingest threat intelligence from EclecticIQ with Elastic Agent - Poll Outgoing feed" + }, + { + "title": "Lumos", + "id": "lumos", + "description": "An integration with Lumos to ship your Activity logs to your Elastic instance.", + "data_streams": [ + { + "dataset": "activity_logs", + "index_pattern": "logs-lumos.activity_logs-*", + "title": "Lumos Activity Logs" + } + ], + "elser_embedding": "Lumos - An integration with Lumos to ship your Activity logs to your Elastic instance. - Lumos Activity Logs" + }, + { + "title": "Anomali", + "id": "ti_anomali", + "description": "Ingest threat intelligence indicators from Anomali with Elastic Agent.", + "data_streams": [ + { + "dataset": "threatstream", + "index_pattern": "logs-ti_anomali.threatstream-*", + "title": "Anomali ThreatStream" + }, + { + "dataset": "intelligence", + "index_pattern": "logs-ti_anomali.intelligence-*", + "title": "Anomali ThreatStream" + } + ], + "elser_embedding": "Anomali - Ingest threat intelligence indicators from Anomali with Elastic Agent. - Anomali ThreatStream Anomali ThreatStream" + }, + { + "title": "Jolokia Input", + "id": "jolokia", + "description": "Collects Metrics from Jolokia Agents", + "data_streams": [], + "elser_embedding": "Jolokia Input - Collects Metrics from Jolokia Agents - " + }, + { + "title": "Sysdig", + "id": "sysdig", + "description": "Collect alerts from Sysdig using Elastic Agent.", + "data_streams": [ + { + "dataset": "alerts", + "index_pattern": "logs-sysdig.alerts-*", + "title": "Sysdig" + } + ], + "elser_embedding": "Sysdig - Collect alerts from Sysdig using Elastic Agent. - Sysdig" + }, + { + "title": "Pulse Connect Secure", + "id": "pulse_connect_secure", + "description": "Collect logs from Pulse Connect Secure with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-pulse_connect_secure.log-*", + "title": "Pulse Connect Secure" + } + ], + "elser_embedding": "Pulse Connect Secure - Collect logs from Pulse Connect Secure with Elastic Agent. - Pulse Connect Secure" + }, + { + "title": "Zeek", + "id": "zeek", + "description": "Collect logs from Zeek with Elastic Agent.", + "data_streams": [ + { + "dataset": "x509", + "index_pattern": "logs-zeek.x509-*", + "title": "Zeek x509 logs" + }, + { + "dataset": "software", + "index_pattern": "logs-zeek.software-*", + "title": "Zeek software logs" + }, + { + "dataset": "traceroute", + "index_pattern": "logs-zeek.traceroute-*", + "title": "Zeek traceroute logs" + }, + { + "dataset": "capture_loss", + "index_pattern": "logs-zeek.capture_loss-*", + "title": "Zeek capture_loss logs" + }, + { + "dataset": "smb_cmd", + "index_pattern": "logs-zeek.smb_cmd-*", + "title": "Zeek smb_cmd logs" + }, + { + "dataset": "snmp", + "index_pattern": "logs-zeek.snmp-*", + "title": "Zeek snmp logs" + }, + { + "dataset": "irc", + "index_pattern": "logs-zeek.irc-*", + "title": "Zeek irc logs" + }, + { + "dataset": "intel", + "index_pattern": "logs-zeek.intel-*", + "title": "Zeek intel logs" + }, + { + "dataset": "pe", + "index_pattern": "logs-zeek.pe-*", + "title": "Zeek pe logs" + }, + { + "dataset": "known_services", + "index_pattern": "logs-zeek.known_services-*", + "title": "Zeek Known Services logs" + }, + { + "dataset": "radius", + "index_pattern": "logs-zeek.radius-*", + "title": "Zeek radius logs" + }, + { + "dataset": "modbus", + "index_pattern": "logs-zeek.modbus-*", + "title": "Zeek modbus logs" + }, + { + "dataset": "tunnel", + "index_pattern": "logs-zeek.tunnel-*", + "title": "Zeek tunnel logs" + }, + { + "dataset": "stats", + "index_pattern": "logs-zeek.stats-*", + "title": "Zeek stats logs" + }, + { + "dataset": "smb_files", + "index_pattern": "logs-zeek.smb_files-*", + "title": "Zeek smb_files logs" + }, + { + "dataset": "ocsp", + "index_pattern": "logs-zeek.ocsp-*", + "title": "Zeek ocsp logs" + }, + { + "dataset": "connection", + "index_pattern": "logs-zeek.connection-*", + "title": "Zeek connection logs" + }, + { + "dataset": "kerberos", + "index_pattern": "logs-zeek.kerberos-*", + "title": "Zeek kerberos logs" + }, + { + "dataset": "weird", + "index_pattern": "logs-zeek.weird-*", + "title": "Zeek weird logs" + }, + { + "dataset": "smb_mapping", + "index_pattern": "logs-zeek.smb_mapping-*", + "title": "Zeek smb_mapping logs" + }, + { + "dataset": "signature", + "index_pattern": "logs-zeek.signature-*", + "title": "Zeek signature logs" + }, + { + "dataset": "ntp", + "index_pattern": "logs-zeek.ntp-*", + "title": "Zeek ntp logs" + }, + { + "dataset": "dns", + "index_pattern": "logs-zeek.dns-*", + "title": "Zeek dns logs" + }, + { + "dataset": "dpd", + "index_pattern": "logs-zeek.dpd-*", + "title": "Zeek dpd logs" + }, + { + "dataset": "dhcp", + "index_pattern": "logs-zeek.dhcp-*", + "title": "Zeek dhcp logs" + }, + { + "dataset": "notice", + "index_pattern": "logs-zeek.notice-*", + "title": "Zeek notice logs" + }, + { + "dataset": "files", + "index_pattern": "logs-zeek.files-*", + "title": "Zeek files logs" + }, + { + "dataset": "ntlm", + "index_pattern": "logs-zeek.ntlm-*", + "title": "Zeek ntlm logs" + }, + { + "dataset": "known_certs", + "index_pattern": "logs-zeek.known_certs-*", + "title": "Zeek Known Certs logs" + }, + { + "dataset": "sip", + "index_pattern": "logs-zeek.sip-*", + "title": "Zeek sip logs" + }, + { + "dataset": "rdp", + "index_pattern": "logs-zeek.rdp-*", + "title": "Zeek rdp logs" + }, + { + "dataset": "mysql", + "index_pattern": "logs-zeek.mysql-*", + "title": "Zeek mysql logs" + }, + { + "dataset": "rfb", + "index_pattern": "logs-zeek.rfb-*", + "title": "Zeek rfb logs" + }, + { + "dataset": "ssh", + "index_pattern": "logs-zeek.ssh-*", + "title": "Zeek ssh logs" + }, + { + "dataset": "syslog", + "index_pattern": "logs-zeek.syslog-*", + "title": "Zeek syslog logs" + }, + { + "dataset": "http", + "index_pattern": "logs-zeek.http-*", + "title": "Zeek http logs" + }, + { + "dataset": "ssl", + "index_pattern": "logs-zeek.ssl-*", + "title": "Zeek ssl logs" + }, + { + "dataset": "socks", + "index_pattern": "logs-zeek.socks-*", + "title": "Zeek socks logs" + }, + { + "dataset": "smtp", + "index_pattern": "logs-zeek.smtp-*", + "title": "Zeek smtp logs" + }, + { + "dataset": "ftp", + "index_pattern": "logs-zeek.ftp-*", + "title": "Zeek ftp logs" + }, + { + "dataset": "known_hosts", + "index_pattern": "logs-zeek.known_hosts-*", + "title": "Zeek Known Hosts logs" + }, + { + "dataset": "dnp3", + "index_pattern": "logs-zeek.dnp3-*", + "title": "Zeek dnp3 logs" + }, + { + "dataset": "dce_rpc", + "index_pattern": "logs-zeek.dce_rpc-*", + "title": "Zeek dce_rpc logs" + } + ], + "elser_embedding": "Zeek - Collect logs from Zeek with Elastic Agent. - Zeek x509 logs Zeek software logs Zeek traceroute logs Zeek capture_loss logs Zeek smb_cmd logs Zeek snmp logs Zeek irc logs Zeek intel logs Zeek pe logs Zeek Known Services logs Zeek radius logs Zeek modbus logs Zeek tunnel logs Zeek stats logs Zeek smb_files logs Zeek ocsp logs Zeek connection logs Zeek kerberos logs Zeek weird logs Zeek smb_mapping logs Zeek signature logs Zeek ntp logs Zeek dns logs Zeek dpd logs Zeek dhcp logs Zeek notice logs Zeek files logs Zeek ntlm logs Zeek Known Certs logs Zeek sip logs Zeek rdp logs Zeek mysql logs Zeek rfb logs Zeek ssh logs Zeek syslog logs Zeek http logs Zeek ssl logs Zeek socks logs Zeek smtp logs Zeek ftp logs Zeek Known Hosts logs Zeek dnp3 logs Zeek dce_rpc logs" + }, + { + "title": "CrowdStrike", + "id": "crowdstrike", + "description": "Collect logs from Crowdstrike with Elastic Agent.", + "data_streams": [ + { + "dataset": "fdr", + "index_pattern": "logs-crowdstrike.fdr-*", + "title": "Falcon Data Replicator" + }, + { + "dataset": "host", + "index_pattern": "logs-crowdstrike.host-*", + "title": "Collect Host logs from CrowdStrike." + }, + { + "dataset": "alert", + "index_pattern": "logs-crowdstrike.alert-*", + "title": "Collect Alert logs from CrowdStrike." + }, + { + "dataset": "falcon", + "index_pattern": "logs-crowdstrike.falcon-*", + "title": "Crowdstrike falcon logs" + } + ], + "elser_embedding": "CrowdStrike - Collect logs from Crowdstrike with Elastic Agent. - Falcon Data Replicator Collect Host logs from CrowdStrike. Collect Alert logs from CrowdStrike. Crowdstrike falcon logs" + }, + { + "title": "Fortinet FortiGate Firewall Logs", + "id": "fortinet_fortigate", + "description": "Collect logs from Fortinet FortiGate firewalls with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-fortinet_fortigate.log-*", + "title": "Fortinet FortiGate logs" + } + ], + "elser_embedding": "Fortinet FortiGate Firewall Logs - Collect logs from Fortinet FortiGate firewalls with Elastic Agent. - Fortinet FortiGate logs" + }, + { + "title": "Active Directory Entity Analytics", + "id": "entityanalytics_ad", + "description": "Collect User Identities from Active Directory Entity with Elastic Agent.", + "data_streams": [ + { + "dataset": "user", + "index_pattern": "logs-entityanalytics_ad.user-*", + "title": "Collect User Identities logs from Active Directory" + } + ], + "elser_embedding": "Active Directory Entity Analytics - Collect User Identities from Active Directory Entity with Elastic Agent. - Collect User Identities logs from Active Directory" + }, + { + "title": "Arista NG Firewall", + "id": "arista_ngfw", + "description": "Collect logs and metrics from Arista NG Firewall.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-arista_ngfw.log-*", + "title": "Firewall Event" + } + ], + "elser_embedding": "Arista NG Firewall - Collect logs and metrics from Arista NG Firewall. - Firewall Event" + }, + { + "title": "Proofpoint TAP", + "id": "proofpoint_tap", + "description": "Collect logs from Proofpoint TAP with Elastic Agent.", + "data_streams": [ + { + "dataset": "message_blocked", + "index_pattern": "logs-proofpoint_tap.message_blocked-*", + "title": "Message Blocked" + }, + { + "dataset": "clicks_blocked", + "index_pattern": "logs-proofpoint_tap.clicks_blocked-*", + "title": "Clicks Blocked" + }, + { + "dataset": "clicks_permitted", + "index_pattern": "logs-proofpoint_tap.clicks_permitted-*", + "title": "Clicks Permitted" + }, + { + "dataset": "message_delivered", + "index_pattern": "logs-proofpoint_tap.message_delivered-*", + "title": "Message Delivered" + } + ], + "elser_embedding": "Proofpoint TAP - Collect logs from Proofpoint TAP with Elastic Agent. - Message Blocked Clicks Blocked Clicks Permitted Message Delivered" + }, + { + "title": "BitDefender", + "id": "bitdefender", + "description": "Ingest BitDefender GravityZone logs and data", + "data_streams": [ + { + "dataset": "push_statistics", + "index_pattern": "logs-bitdefender.push_statistics-*", + "title": "BitDefender GravityZone Push Notification Statistics" + }, + { + "dataset": "push_configuration", + "index_pattern": "logs-bitdefender.push_configuration-*", + "title": "BitDefender GravityZone Push Notification Configuration" + }, + { + "dataset": "push_notifications", + "index_pattern": "logs-bitdefender.push_notifications-*", + "title": "BitDefender GravityZone Push Notifications" + } + ], + "elser_embedding": "BitDefender - Ingest BitDefender GravityZone logs and data - BitDefender GravityZone Push Notification Statistics BitDefender GravityZone Push Notification Configuration BitDefender GravityZone Push Notifications" + }, + { + "title": "Redis", + "id": "redis", + "description": "Collect logs and metrics from Redis servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "keyspace", + "index_pattern": "logs-redis.keyspace-*", + "title": "Redis keyspace metrics" + }, + { + "dataset": "key", + "index_pattern": "logs-redis.key-*", + "title": "Redis key metrics" + }, + { + "dataset": "info", + "index_pattern": "logs-redis.info-*", + "title": "Redis info metrics" + }, + { + "dataset": "slowlog", + "index_pattern": "logs-redis.slowlog-*", + "title": "Redis slow logs" + }, + { + "dataset": "log", + "index_pattern": "logs-redis.log-*", + "title": "Redis application logs" + } + ], + "elser_embedding": "Redis - Collect logs and metrics from Redis servers with Elastic Agent. - Redis keyspace metrics Redis key metrics Redis info metrics Redis slow logs Redis application logs" + }, + { + "title": "Cisco Duo", + "id": "cisco_duo", + "description": "Collect logs from Cisco Duo with Elastic Agent.", + "data_streams": [ + { + "dataset": "summary", + "index_pattern": "logs-cisco_duo.summary-*", + "title": "Cisco Duo summary logs" + }, + { + "dataset": "admin", + "index_pattern": "logs-cisco_duo.admin-*", + "title": "Cisco Duo administrator logs" + }, + { + "dataset": "telephony", + "index_pattern": "logs-cisco_duo.telephony-*", + "title": "Cisco Duo telephony logs (legacy)" + }, + { + "dataset": "telephony_v2", + "index_pattern": "logs-cisco_duo.telephony_v2-*", + "title": "Cisco Duo telephony logs" + }, + { + "dataset": "auth", + "index_pattern": "logs-cisco_duo.auth-*", + "title": "Cisco Duo authentication logs" + }, + { + "dataset": "trust_monitor", + "index_pattern": "logs-cisco_duo.trust_monitor-*", + "title": "Cisco Duo trust monitor logs" + }, + { + "dataset": "activity", + "index_pattern": "logs-cisco_duo.activity-*", + "title": "Cisco Duo activity logs" + }, + { + "dataset": "offline_enrollment", + "index_pattern": "logs-cisco_duo.offline_enrollment-*", + "title": "Cisco Duo offline enrollment logs" + } + ], + "elser_embedding": "Cisco Duo - Collect logs from Cisco Duo with Elastic Agent. - Cisco Duo summary logs Cisco Duo administrator logs Cisco Duo telephony logs (legacy) Cisco Duo telephony logs Cisco Duo authentication logs Cisco Duo trust monitor logs Cisco Duo activity logs Cisco Duo offline enrollment logs" + }, + { + "title": "Elasticsearch", + "id": "elasticsearch", + "description": "Elasticsearch Integration", + "data_streams": [ + { + "dataset": "index_recovery", + "index_pattern": "logs-elasticsearch.index_recovery-*", + "title": "Elasticsearch index_recovery metrics" + }, + { + "dataset": "shard", + "index_pattern": "logs-elasticsearch.shard-*", + "title": "Elasticsearch shard metrics" + }, + { + "dataset": "ingest_pipeline", + "index_pattern": "logs-elasticsearch.ingest_pipeline-*", + "title": "Elasticsearch ingest metrics" + }, + { + "dataset": "enrich", + "index_pattern": "logs-elasticsearch.enrich-*", + "title": "Elasticsearch enrich metrics" + }, + { + "dataset": "audit", + "index_pattern": "logs-elasticsearch.audit-*", + "title": "Elasticsearch audit logs" + }, + { + "dataset": "server", + "index_pattern": "logs-elasticsearch.server-*", + "title": "Elasticsearch server logs" + }, + { + "dataset": "node_stats", + "index_pattern": "logs-elasticsearch.node_stats-*", + "title": "Elasticsearch node_stats metrics" + }, + { + "dataset": "index_summary", + "index_pattern": "logs-elasticsearch.index_summary-*", + "title": "Elasticsearch index_summary metrics" + }, + { + "dataset": "deprecation", + "index_pattern": "logs-elasticsearch.deprecation-*", + "title": "Elasticsearch deprecation logs" + }, + { + "dataset": "index", + "index_pattern": "logs-elasticsearch.index-*", + "title": "Elasticsearch index metrics" + }, + { + "dataset": "slowlog", + "index_pattern": "logs-elasticsearch.slowlog-*", + "title": "Elasticsearch slowlog logs" + }, + { + "dataset": "pending_tasks", + "index_pattern": "logs-elasticsearch.pending_tasks-*", + "title": "Elasticsearch pending_tasks metrics" + }, + { + "dataset": "ccr", + "index_pattern": "logs-elasticsearch.ccr-*", + "title": "Elasticsearch ccr metrics" + }, + { + "dataset": "node", + "index_pattern": "logs-elasticsearch.node-*", + "title": "Elasticsearch node metrics" + }, + { + "dataset": "cluster_stats", + "index_pattern": "logs-elasticsearch.cluster_stats-*", + "title": "Elasticsearch cluster_stats metrics" + }, + { + "dataset": "gc", + "index_pattern": "logs-elasticsearch.gc-*", + "title": "Elasticsearch gc logs" + }, + { + "dataset": "ml_job", + "index_pattern": "logs-elasticsearch.ml_job-*", + "title": "Elasticsearch ml_job metrics" + } + ], + "elser_embedding": "Elasticsearch - Elasticsearch Integration - Elasticsearch index_recovery metrics Elasticsearch shard metrics Elasticsearch ingest metrics Elasticsearch enrich metrics Elasticsearch audit logs Elasticsearch server logs Elasticsearch node_stats metrics Elasticsearch index_summary metrics Elasticsearch deprecation logs Elasticsearch index metrics Elasticsearch slowlog logs Elasticsearch pending_tasks metrics Elasticsearch ccr metrics Elasticsearch node metrics Elasticsearch cluster_stats metrics Elasticsearch gc logs Elasticsearch ml_job metrics" + }, + { + "title": "Universal Profiling Agent", + "id": "profiler_agent", + "description": "Fleet-wide, whole-system, continuous profiling with zero instrumentation.", + "data_streams": [], + "elser_embedding": "Universal Profiling Agent - Fleet-wide, whole-system, continuous profiling with zero instrumentation. - " + }, + { + "title": "Check Point Harmony Email & Collaboration", + "id": "checkpoint_email", + "description": "Collect logs from Check Point Harmony Email & Collaboration with Elastic Agent.", + "data_streams": [ + { + "dataset": "event", + "index_pattern": "logs-checkpoint_email.event-*", + "title": "Check Point Harmony Email & Collaboration Event logs" + } + ], + "elser_embedding": "Check Point Harmony Email & Collaboration - Collect logs from Check Point Harmony Email & Collaboration with Elastic Agent. - Check Point Harmony Email & Collaboration Event logs" + }, + { + "title": "Apache HTTP Server", + "id": "apache", + "description": "Collect logs and metrics from Apache servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "access", + "index_pattern": "logs-apache.access-*", + "title": "Apache access logs" + }, + { + "dataset": "error", + "index_pattern": "logs-apache.error-*", + "title": "Apache error logs" + }, + { + "dataset": "status", + "index_pattern": "logs-apache.status-*", + "title": "Apache status metrics" + } + ], + "elser_embedding": "Apache HTTP Server - Collect logs and metrics from Apache servers with Elastic Agent. - Apache access logs Apache error logs Apache status metrics" + }, + { + "title": "Istio", + "id": "istio", + "description": "Collect logs and metrics from the service mesh Istio with Elastic Agent.", + "data_streams": [ + { + "dataset": "access_logs", + "index_pattern": "logs-istio.access_logs-*", + "title": "Istio access logs" + }, + { + "dataset": "proxy_metrics", + "index_pattern": "logs-istio.proxy_metrics-*", + "title": "Istio Proxy Metrics" + }, + { + "dataset": "istiod_metrics", + "index_pattern": "logs-istio.istiod_metrics-*", + "title": "Istiod Metrics" + } + ], + "elser_embedding": "Istio - Collect logs and metrics from the service mesh Istio with Elastic Agent. - Istio access logs Istio Proxy Metrics Istiod Metrics" + }, + { + "title": "GCP Metrics Input", + "id": "gcp_metrics", + "description": "GCP Metrics Input", + "data_streams": [], + "elser_embedding": "GCP Metrics Input - GCP Metrics Input - " + }, + { + "title": "Fortinet FortiMail", + "id": "fortinet_fortimail", + "description": "Collect logs from Fortinet FortiMail instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-fortinet_fortimail.log-*", + "title": "Collect logs from Fortinet FortiMail" + } + ], + "elser_embedding": "Fortinet FortiMail - Collect logs from Fortinet FortiMail instances with Elastic Agent. - Collect logs from Fortinet FortiMail" + }, + { + "title": "Spring Boot", + "id": "spring_boot", + "description": "This Elastic integration collects logs and metrics from Spring Boot integration.", + "data_streams": [ + { + "dataset": "memory", + "index_pattern": "logs-spring_boot.memory-*", + "title": "Memory Metrics" + }, + { + "dataset": "http_trace", + "index_pattern": "logs-spring_boot.http_trace-*", + "title": "HTTP Trace Metrics" + }, + { + "dataset": "gc", + "index_pattern": "logs-spring_boot.gc-*", + "title": "Garbage Collector (GC) Metrics" + }, + { + "dataset": "threading", + "index_pattern": "logs-spring_boot.threading-*", + "title": "Threading Metrics" + }, + { + "dataset": "audit_events", + "index_pattern": "logs-spring_boot.audit_events-*", + "title": "Audit Events" + } + ], + "elser_embedding": "Spring Boot - This Elastic integration collects logs and metrics from Spring Boot integration. - Memory Metrics HTTP Trace Metrics Garbage Collector (GC) Metrics Threading Metrics Audit Events" + }, + { + "title": "Jamf Compliance Reporter", + "id": "jamf_compliance_reporter", + "description": "Collect logs from Jamf Compliance Reporter with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-jamf_compliance_reporter.log-*", + "title": "Jamf Compliance Reporter logs" + } + ], + "elser_embedding": "Jamf Compliance Reporter - Collect logs from Jamf Compliance Reporter with Elastic Agent. - Jamf Compliance Reporter logs" + }, + { + "title": "SentinelOne", + "id": "sentinel_one", + "description": "Collect logs from SentinelOne with Elastic Agent.", + "data_streams": [ + { + "dataset": "group", + "index_pattern": "logs-sentinel_one.group-*", + "title": "Collect Group logs from SentinelOne" + }, + { + "dataset": "threat", + "index_pattern": "logs-sentinel_one.threat-*", + "title": "Collect Threat logs from SentinelOne" + }, + { + "dataset": "alert", + "index_pattern": "logs-sentinel_one.alert-*", + "title": "Collect Alert logs from SentinelOne" + }, + { + "dataset": "agent", + "index_pattern": "logs-sentinel_one.agent-*", + "title": "Collect Agent logs from SentinelOne" + }, + { + "dataset": "activity", + "index_pattern": "logs-sentinel_one.activity-*", + "title": "Collect Activity logs from SentinelOne" + } + ], + "elser_embedding": "SentinelOne - Collect logs from SentinelOne with Elastic Agent. - Collect Group logs from SentinelOne Collect Threat logs from SentinelOne Collect Alert logs from SentinelOne Collect Agent logs from SentinelOne Collect Activity logs from SentinelOne" + }, + { + "title": "Enterprise Search", + "id": "enterprisesearch", + "description": "Enterprise Search Integration", + "data_streams": [ + { + "dataset": "stats", + "index_pattern": "logs-enterprisesearch.stats-*", + "title": "Enterprise Search stats metrics" + }, + { + "dataset": "health", + "index_pattern": "logs-enterprisesearch.health-*", + "title": "Enterprise Search health metrics" + } + ], + "elser_embedding": "Enterprise Search - Enterprise Search Integration - Enterprise Search stats metrics Enterprise Search health metrics" + }, + { + "title": "Microsoft Exchange Online Message Trace", + "id": "microsoft_exchange_online_message_trace", + "description": "Microsoft Exchange Online Message Trace Integration", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-microsoft_exchange_online_message_trace.log-*", + "title": "Microsoft Exchange Online Message Trace logs" + } + ], + "elser_embedding": "Microsoft Exchange Online Message Trace - Microsoft Exchange Online Message Trace Integration - Microsoft Exchange Online Message Trace logs" + }, + { + "title": "CrowdStrike Falcon Intelligence", + "id": "ti_crowdstrike", + "description": "Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent.", + "data_streams": [ + { + "dataset": "intel", + "index_pattern": "logs-ti_crowdstrike.intel-*", + "title": "Collect Intel logs from CrowdStrike Falcon Intelligence." + }, + { + "dataset": "ioc", + "index_pattern": "logs-ti_crowdstrike.ioc-*", + "title": "Collect IOC logs from CrowdStrike Falcon Intelligence." + } + ], + "elser_embedding": "CrowdStrike Falcon Intelligence - Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent. - Collect Intel logs from CrowdStrike Falcon Intelligence. Collect IOC logs from CrowdStrike Falcon Intelligence." + }, + { + "title": "Auditd Manager", + "id": "auditd_manager", + "description": "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel.", + "data_streams": [ + { + "dataset": "auditd", + "index_pattern": "logs-auditd_manager.auditd-*", + "title": "Auditd Manager" + } + ], + "elser_embedding": "Auditd Manager - The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel. - Auditd Manager" + }, + { + "title": "Oracle", + "id": "oracle", + "description": "Collect Oracle Audit Log, Performance metrics, Tablespace metrics, Sysmetrics metrics, System statistics metrics, memory metrics from Oracle database.", + "data_streams": [ + { + "dataset": "memory", + "index_pattern": "logs-oracle.memory-*", + "title": "Memory metrics" + }, + { + "dataset": "performance", + "index_pattern": "logs-oracle.performance-*", + "title": "Oracle performance metrics" + }, + { + "dataset": "database_audit", + "index_pattern": "logs-oracle.database_audit-*", + "title": "Oracle Audit Log" + }, + { + "dataset": "sysmetric", + "index_pattern": "logs-oracle.sysmetric-*", + "title": "Sysmetric related metrics." + }, + { + "dataset": "system_statistics", + "index_pattern": "logs-oracle.system_statistics-*", + "title": "System Statistics" + }, + { + "dataset": "tablespace", + "index_pattern": "logs-oracle.tablespace-*", + "title": "Oracle tablespace metrics" + } + ], + "elser_embedding": "Oracle - Collect Oracle Audit Log, Performance metrics, Tablespace metrics, Sysmetrics metrics, System statistics metrics, memory metrics from Oracle database. - Memory metrics Oracle performance metrics Oracle Audit Log Sysmetric related metrics. System Statistics Oracle tablespace metrics" + }, + { + "title": "Akamai", + "id": "akamai", + "description": "Collect logs from Akamai with Elastic Agent.", + "data_streams": [ + { + "dataset": "siem", + "index_pattern": "logs-akamai.siem-*", + "title": "Akamai SIEM Logs" + } + ], + "elser_embedding": "Akamai - Collect logs from Akamai with Elastic Agent. - Akamai SIEM Logs" + }, + { + "title": "Custom Journald logs", + "id": "journald", + "description": "Collect logs from journald with Elastic Agent.", + "data_streams": [], + "elser_embedding": "Custom Journald logs - Collect logs from journald with Elastic Agent. - " + }, + { + "title": "Universal Profiling Collector", + "id": "profiler_collector", + "description": "Fleet-wide, whole-system, continuous profiling with zero instrumentation.", + "data_streams": [], + "elser_embedding": "Universal Profiling Collector - Fleet-wide, whole-system, continuous profiling with zero instrumentation. - " + }, + { + "title": "Custom API using Common Expression Language", + "id": "cel", + "description": "Collect custom events from an API with Elastic agent", + "data_streams": [], + "elser_embedding": "Custom API using Common Expression Language - Collect custom events from an API with Elastic agent - " + }, + { + "title": "etcd", + "id": "etcd", + "description": "Collect metrics from etcd instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "self", + "index_pattern": "logs-etcd.self-*", + "title": "etcd self metrics" + }, + { + "dataset": "leader", + "index_pattern": "logs-etcd.leader-*", + "title": "etcd leader metrics" + }, + { + "dataset": "store", + "index_pattern": "logs-etcd.store-*", + "title": "etcd store metrics" + }, + { + "dataset": "metrics", + "index_pattern": "logs-etcd.metrics-*", + "title": "etcd v3 metrics" + } + ], + "elser_embedding": "etcd - Collect metrics from etcd instances with Elastic Agent. - etcd self metrics etcd leader metrics etcd store metrics etcd v3 metrics" + }, + { + "title": "Citrix Web App Firewall", + "id": "citrix_waf", + "description": "Ingest events from Citrix Systems Web App Firewall.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-citrix_waf.log-*", + "title": "Cisco ASA logs" + } + ], + "elser_embedding": "Citrix Web App Firewall - Ingest events from Citrix Systems Web App Firewall. - Cisco ASA logs" + }, + { + "title": "Azure OpenAI", + "id": "azure_openai", + "description": "Collects Azure OpenAI Logs and Metrics", + "data_streams": [ + { + "dataset": "logs", + "index_pattern": "logs-azure_openai.logs-*", + "title": "Collect Azure OpenAI logs" + }, + { + "dataset": "metrics", + "index_pattern": "logs-azure_openai.metrics-*", + "title": "Collect OpenAI metrics" + } + ], + "elser_embedding": "Azure OpenAI - Collects Azure OpenAI Logs and Metrics - Collect Azure OpenAI logs Collect OpenAI metrics" + }, + { + "title": "Cisco ISE", + "id": "cisco_ise", + "description": "Collect logs from Cisco ISE with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_ise.log-*", + "title": "Cisco ISE logs" + } + ], + "elser_embedding": "Cisco ISE - Collect logs from Cisco ISE with Elastic Agent. - Cisco ISE logs" + }, + { + "title": "Citrix ADC", + "id": "citrix_adc", + "description": "This Elastic integration collects logs and metrics from Citrix ADC product.", + "data_streams": [ + { + "dataset": "vpn", + "index_pattern": "logs-citrix_adc.vpn-*", + "title": "VPN metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-citrix_adc.log-*", + "title": "Citrix ADC logs" + }, + { + "dataset": "service", + "index_pattern": "logs-citrix_adc.service-*", + "title": "Citrix ADC Service metrics" + }, + { + "dataset": "system", + "index_pattern": "logs-citrix_adc.system-*", + "title": "System metrics" + }, + { + "dataset": "interface", + "index_pattern": "logs-citrix_adc.interface-*", + "title": "Interface metrics" + }, + { + "dataset": "lbvserver", + "index_pattern": "logs-citrix_adc.lbvserver-*", + "title": "Load Balancing Virtual Server metrics" + } + ], + "elser_embedding": "Citrix ADC - This Elastic integration collects logs and metrics from Citrix ADC product. - VPN metrics Citrix ADC logs Citrix ADC Service metrics System metrics Interface metrics Load Balancing Virtual Server metrics" + }, + { + "title": "Box Events", + "id": "box_events", + "description": "Collect logs from Box with Elastic Agent", + "data_streams": [ + { + "dataset": "events", + "index_pattern": "logs-box_events.events-*", + "title": "List user and enterprise events" + } + ], + "elser_embedding": "Box Events - Collect logs from Box with Elastic Agent - List user and enterprise events" + }, + { + "title": "Prometheus", + "id": "prometheus", + "description": "Collect metrics from Prometheus servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "query", + "index_pattern": "logs-prometheus.query-*", + "title": "Prometheus query metrics" + }, + { + "dataset": "remote_write", + "index_pattern": "logs-prometheus.remote_write-*", + "title": "Prometheus remote_write metrics" + }, + { + "dataset": "collector", + "index_pattern": "logs-prometheus.collector-*", + "title": "Prometheus collector metrics" + } + ], + "elser_embedding": "Prometheus - Collect metrics from Prometheus servers with Elastic Agent. - Prometheus query metrics Prometheus remote_write metrics Prometheus collector metrics" + }, + { + "title": "Kubernetes", + "id": "kubernetes", + "description": "Collect logs and metrics from Kubernetes clusters with Elastic Agent.", + "data_streams": [ + { + "dataset": "state_resourcequota", + "index_pattern": "logs-kubernetes.state_resourcequota-*", + "title": "Kubernetes ResourceQuota metrics" + }, + { + "dataset": "state_storageclass", + "index_pattern": "logs-kubernetes.state_storageclass-*", + "title": "Kubernetes StorageClass metrics" + }, + { + "dataset": "state_persistentvolume", + "index_pattern": "logs-kubernetes.state_persistentvolume-*", + "title": "Kubernetes PersistentVolume metrics" + }, + { + "dataset": "pod", + "index_pattern": "logs-kubernetes.pod-*", + "title": "Kubernetes Pod metrics" + }, + { + "dataset": "state_container", + "index_pattern": "logs-kubernetes.state_container-*", + "title": "Kubernetes Container metrics" + }, + { + "dataset": "state_service", + "index_pattern": "logs-kubernetes.state_service-*", + "title": "Kubernetes Service metrics" + }, + { + "dataset": "state_replicaset", + "index_pattern": "logs-kubernetes.state_replicaset-*", + "title": "Kubernetes state_replicaset metrics" + }, + { + "dataset": "state_deployment", + "index_pattern": "logs-kubernetes.state_deployment-*", + "title": "Kubernetes Deployment metrics" + }, + { + "dataset": "container", + "index_pattern": "logs-kubernetes.container-*", + "title": "Kubernetes Container metrics" + }, + { + "dataset": "state_cronjob", + "index_pattern": "logs-kubernetes.state_cronjob-*", + "title": "Kubernetes Cronjob metrics" + }, + { + "dataset": "state_persistentvolumeclaim", + "index_pattern": "logs-kubernetes.state_persistentvolumeclaim-*", + "title": "Kubernetes PersistentVolumeClaim metrics" + }, + { + "dataset": "apiserver", + "index_pattern": "logs-kubernetes.apiserver-*", + "title": "Kubernetes API Server metrics" + }, + { + "dataset": "audit_logs", + "index_pattern": "logs-kubernetes.audit_logs-*", + "title": "Kubernetes audit logs" + }, + { + "dataset": "container_logs", + "index_pattern": "logs-kubernetes.container_logs-*", + "title": "Kubernetes container logs" + }, + { + "dataset": "state_namespace", + "index_pattern": "logs-kubernetes.state_namespace-*", + "title": "Kubernetes Namespace metrics" + }, + { + "dataset": "controllermanager", + "index_pattern": "logs-kubernetes.controllermanager-*", + "title": "Kubernetes Controller Manager metrics" + }, + { + "dataset": "state_statefulset", + "index_pattern": "logs-kubernetes.state_statefulset-*", + "title": "Kubernetes StatefulSet metrics" + }, + { + "dataset": "state_pod", + "index_pattern": "logs-kubernetes.state_pod-*", + "title": "Kubernetes Pod metrics" + }, + { + "dataset": "event", + "index_pattern": "logs-kubernetes.event-*", + "title": "Kubernetes Event metrics" + }, + { + "dataset": "node", + "index_pattern": "logs-kubernetes.node-*", + "title": "Kubernetes Node metrics" + }, + { + "dataset": "scheduler", + "index_pattern": "logs-kubernetes.scheduler-*", + "title": "Kubernetes Scheduler metrics" + }, + { + "dataset": "system", + "index_pattern": "logs-kubernetes.system-*", + "title": "Kubernetes System metrics" + }, + { + "dataset": "proxy", + "index_pattern": "logs-kubernetes.proxy-*", + "title": "Kubernetes Proxy metrics" + }, + { + "dataset": "state_node", + "index_pattern": "logs-kubernetes.state_node-*", + "title": "Kubernetes Node metrics" + }, + { + "dataset": "volume", + "index_pattern": "logs-kubernetes.volume-*", + "title": "Kubernetes Volume metrics" + }, + { + "dataset": "state_job", + "index_pattern": "logs-kubernetes.state_job-*", + "title": "Kubernetes Job metrics" + }, + { + "dataset": "state_daemonset", + "index_pattern": "logs-kubernetes.state_daemonset-*", + "title": "Kubernetes Deamonset metrics" + } + ], + "elser_embedding": "Kubernetes - Collect logs and metrics from Kubernetes clusters with Elastic Agent. - Kubernetes ResourceQuota metrics Kubernetes StorageClass metrics Kubernetes PersistentVolume metrics Kubernetes Pod metrics Kubernetes Container metrics Kubernetes Service metrics Kubernetes state_replicaset metrics Kubernetes Deployment metrics Kubernetes Container metrics Kubernetes Cronjob metrics Kubernetes PersistentVolumeClaim metrics Kubernetes API Server metrics Kubernetes audit logs Kubernetes container logs Kubernetes Namespace metrics Kubernetes Controller Manager metrics Kubernetes StatefulSet metrics Kubernetes Pod metrics Kubernetes Event metrics Kubernetes Node metrics Kubernetes Scheduler metrics Kubernetes System metrics Kubernetes Proxy metrics Kubernetes Node metrics Kubernetes Volume metrics Kubernetes Job metrics Kubernetes Deamonset metrics" + }, + { + "title": "Okta Entity Analytics", + "id": "entityanalytics_okta", + "description": "Collect User Identities from Okta with Elastic Agent.", + "data_streams": [ + { + "dataset": "user", + "index_pattern": "logs-entityanalytics_okta.user-*", + "title": "Collect User Identities logs from Okta" + } + ], + "elser_embedding": "Okta Entity Analytics - Collect User Identities from Okta with Elastic Agent. - Collect User Identities logs from Okta" + }, + { + "title": "GCP Vertex AI", + "id": "gcp_vertexai", + "description": "Collect GCP Vertex AI metrics with Elastic Agent", + "data_streams": [ + { + "dataset": "metrics", + "index_pattern": "logs-gcp_vertexai.metrics-*", + "title": "GCP Vertex AI Metrics" + } + ], + "elser_embedding": "GCP Vertex AI - Collect GCP Vertex AI metrics with Elastic Agent - GCP Vertex AI Metrics" + }, + { + "title": "First EPSS", + "id": "first_epss", + "description": "Collect exploit prediction score data from the First EPSS API with Elastic Agent.", + "data_streams": [ + { + "dataset": "vulnerability", + "index_pattern": "logs-first_epss.vulnerability-*", + "title": "Collect EPSS data from First API." + } + ], + "elser_embedding": "First EPSS - Collect exploit prediction score data from the First EPSS API with Elastic Agent. - Collect EPSS data from First API." + }, + { + "title": "Snort", + "id": "snort", + "description": "Collect logs from Snort with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-snort.log-*", + "title": "Snort" + } + ], + "elser_embedding": "Snort - Collect logs from Snort with Elastic Agent. - Snort" + }, + { + "title": "Azure Functions", + "id": "azure_functions", + "description": "Get metrics and logs from Azure Functions", + "data_streams": [ + { + "dataset": "functionapplogs", + "index_pattern": "logs-azure_functions.functionapplogs-*", + "title": "Collect Azure Functions logs" + }, + { + "dataset": "metrics", + "index_pattern": "logs-azure_functions.metrics-*", + "title": "Azure Functions App Metrics" + } + ], + "elser_embedding": "Azure Functions - Get metrics and logs from Azure Functions - Collect Azure Functions logs Azure Functions App Metrics" + }, + { + "title": "SentinelOne Cloud Funnel", + "id": "sentinel_one_cloud_funnel", + "description": "Collect logs from SentinelOne Cloud Funnel with Elastic Agent.", + "data_streams": [ + { + "dataset": "threat_intelligence_indicators", + "index_pattern": "logs-sentinel_one_cloud_funnel.threat_intelligence_indicators-*", + "title": "SentinelOne Cloud Funnel Threat Intelligence Indicator Events" + }, + { + "dataset": "scheduled_task", + "index_pattern": "logs-sentinel_one_cloud_funnel.scheduled_task-*", + "title": "SentinelOne Cloud Funnel Scheduled Task Events" + }, + { + "dataset": "cross_process", + "index_pattern": "logs-sentinel_one_cloud_funnel.cross_process-*", + "title": "SentinelOne Cloud Funnel cross_process Events" + }, + { + "dataset": "url", + "index_pattern": "logs-sentinel_one_cloud_funnel.url-*", + "title": "SentinelOne Cloud Funnel URL Events" + }, + { + "dataset": "file", + "index_pattern": "logs-sentinel_one_cloud_funnel.file-*", + "title": "SentinelOne Cloud Funnel File Events" + }, + { + "dataset": "module", + "index_pattern": "logs-sentinel_one_cloud_funnel.module-*", + "title": "SentinelOne Cloud Funnel Module Events" + }, + { + "dataset": "process", + "index_pattern": "logs-sentinel_one_cloud_funnel.process-*", + "title": "SentinelOne Cloud Funnel Process Events" + }, + { + "dataset": "dns", + "index_pattern": "logs-sentinel_one_cloud_funnel.dns-*", + "title": "SentinelOne Cloud Funnel dns Events" + }, + { + "dataset": "logins", + "index_pattern": "logs-sentinel_one_cloud_funnel.logins-*", + "title": "SentinelOne Cloud Funnel Logins Events" + }, + { + "dataset": "command_script", + "index_pattern": "logs-sentinel_one_cloud_funnel.command_script-*", + "title": "SentinelOne Cloud Funnel command_script Events" + }, + { + "dataset": "indicators", + "index_pattern": "logs-sentinel_one_cloud_funnel.indicators-*", + "title": "SentinelOne Cloud Funnel Indicator Events" + }, + { + "dataset": "event", + "index_pattern": "logs-sentinel_one_cloud_funnel.event-*", + "title": "Collect Event logs from SentinelOne Cloud Funnel." + }, + { + "dataset": "ip", + "index_pattern": "logs-sentinel_one_cloud_funnel.ip-*", + "title": "SentinelOne Cloud Funnel IP Events" + }, + { + "dataset": "registry", + "index_pattern": "logs-sentinel_one_cloud_funnel.registry-*", + "title": "SentinelOne Cloud Funnel Registry Events" + } + ], + "elser_embedding": "SentinelOne Cloud Funnel - Collect logs from SentinelOne Cloud Funnel with Elastic Agent. - SentinelOne Cloud Funnel Threat Intelligence Indicator Events SentinelOne Cloud Funnel Scheduled Task Events SentinelOne Cloud Funnel cross_process Events SentinelOne Cloud Funnel URL Events SentinelOne Cloud Funnel File Events SentinelOne Cloud Funnel Module Events SentinelOne Cloud Funnel Process Events SentinelOne Cloud Funnel dns Events SentinelOne Cloud Funnel Logins Events SentinelOne Cloud Funnel command_script Events SentinelOne Cloud Funnel Indicator Events Collect Event logs from SentinelOne Cloud Funnel. SentinelOne Cloud Funnel IP Events SentinelOne Cloud Funnel Registry Events" + }, + { + "title": "Cisco Meraki", + "id": "cisco_meraki", + "description": "Collect logs from Cisco Meraki with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_meraki.log-*", + "title": "Cisco Meraki logs (via Syslog)" + }, + { + "dataset": "events", + "index_pattern": "logs-cisco_meraki.events-*", + "title": "Cisco Meraki webhook events" + } + ], + "elser_embedding": "Cisco Meraki - Collect logs from Cisco Meraki with Elastic Agent. - Cisco Meraki logs (via Syslog) Cisco Meraki webhook events" + }, + { + "title": "Osquery Manager", + "id": "osquery_manager", + "description": "Deploy Osquery with Elastic Agent, then run and schedule queries in Kibana", + "data_streams": [ + { + "dataset": "result", + "index_pattern": "logs-osquery_manager.result-*", + "title": "Osquery Manager queries" + }, + { + "dataset": "action_responses", + "index_pattern": "logs-osquery_manager.action_responses-*", + "title": "Osquery Manager queries" + } + ], + "elser_embedding": "Osquery Manager - Deploy Osquery with Elastic Agent, then run and schedule queries in Kibana - Osquery Manager queries Osquery Manager queries" + }, + { + "title": "ModSecurity Audit", + "id": "modsecurity", + "description": "Collect logs from ModSecurity with Elastic Agent", + "data_streams": [ + { + "dataset": "auditlog", + "index_pattern": "logs-modsecurity.auditlog-*", + "title": "Modsecurity Audit Log" + } + ], + "elser_embedding": "ModSecurity Audit - Collect logs from ModSecurity with Elastic Agent - Modsecurity Audit Log" + }, + { + "title": "pfSense", + "id": "pfsense", + "description": "Collect logs from pfSense and OPNsense with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-pfsense.log-*", + "title": "pfSense log logs" + } + ], + "elser_embedding": "pfSense - Collect logs from pfSense and OPNsense with Elastic Agent. - pfSense log logs" + }, + { + "title": "Ceph", + "id": "ceph", + "description": "This Elastic integration collects metrics from Ceph instance.", + "data_streams": [ + { + "dataset": "cluster_disk", + "index_pattern": "logs-ceph.cluster_disk-*", + "title": "Cluster Disk metrics" + }, + { + "dataset": "osd_pool_stats", + "index_pattern": "logs-ceph.osd_pool_stats-*", + "title": "OSD Pool Stats" + }, + { + "dataset": "cluster_status", + "index_pattern": "logs-ceph.cluster_status-*", + "title": "Cluster Status metrics" + }, + { + "dataset": "pool_disk", + "index_pattern": "logs-ceph.pool_disk-*", + "title": "Pool Disk metrics" + }, + { + "dataset": "osd_tree", + "index_pattern": "logs-ceph.osd_tree-*", + "title": "OSD Tree metrics" + }, + { + "dataset": "osd_performance", + "index_pattern": "logs-ceph.osd_performance-*", + "title": "OSD Performance metrics" + }, + { + "dataset": "cluster_health", + "index_pattern": "logs-ceph.cluster_health-*", + "title": "Cluster Health metrics" + } + ], + "elser_embedding": "Ceph - This Elastic integration collects metrics from Ceph instance. - Cluster Disk metrics OSD Pool Stats Cluster Status metrics Pool Disk metrics OSD Tree metrics OSD Performance metrics Cluster Health metrics" + }, + { + "title": "Maltiverse", + "id": "ti_maltiverse", + "description": "Ingest threat intelligence indicators from Maltiverse feeds with Elastic Agent", + "data_streams": [ + { + "dataset": "indicator", + "index_pattern": "logs-ti_maltiverse.indicator-*", + "title": "Maltiverse indicator" + } + ], + "elser_embedding": "Maltiverse - Ingest threat intelligence indicators from Maltiverse feeds with Elastic Agent - Maltiverse indicator" + }, + { + "title": "Imperva", + "id": "imperva", + "description": "Collect logs from Imperva devices with Elastic Agent.", + "data_streams": [ + { + "dataset": "securesphere", + "index_pattern": "logs-imperva.securesphere-*", + "title": "Collect logs from Imperva SecureSphere" + } + ], + "elser_embedding": "Imperva - Collect logs from Imperva devices with Elastic Agent. - Collect logs from Imperva SecureSphere" + }, + { + "title": "Linux Metrics", + "id": "linux", + "description": "Collect metrics from Linux servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "memory", + "index_pattern": "logs-linux.memory-*", + "title": "Linux-only memory metrics" + }, + { + "dataset": "socket", + "index_pattern": "logs-linux.socket-*", + "title": "System socket metrics" + }, + { + "dataset": "ksm", + "index_pattern": "logs-linux.ksm-*", + "title": "Kernel Samepage merging metrics" + }, + { + "dataset": "raid", + "index_pattern": "logs-linux.raid-*", + "title": "System raid metrics" + }, + { + "dataset": "conntrack", + "index_pattern": "logs-linux.conntrack-*", + "title": "System conntrack metrics" + }, + { + "dataset": "network_summary", + "index_pattern": "logs-linux.network_summary-*", + "title": "System network_summary metrics" + }, + { + "dataset": "users", + "index_pattern": "logs-linux.users-*", + "title": "System users metrics" + }, + { + "dataset": "service", + "index_pattern": "logs-linux.service-*", + "title": "System service metrics" + }, + { + "dataset": "pageinfo", + "index_pattern": "logs-linux.pageinfo-*", + "title": "System page info metrics" + }, + { + "dataset": "iostat", + "index_pattern": "logs-linux.iostat-*", + "title": "Linux disk iostat metrics" + }, + { + "dataset": "entropy", + "index_pattern": "logs-linux.entropy-*", + "title": "System entropy metrics" + } + ], + "elser_embedding": "Linux Metrics - Collect metrics from Linux servers with Elastic Agent. - Linux-only memory metrics System socket metrics Kernel Samepage merging metrics System raid metrics System conntrack metrics System network_summary metrics System users metrics System service metrics System page info metrics Linux disk iostat metrics System entropy metrics" + }, + { + "title": "Cybereason", + "id": "cybereason", + "description": "Collect logs from Cybereason with Elastic Agent.", + "data_streams": [ + { + "dataset": "logon_session", + "index_pattern": "logs-cybereason.logon_session-*", + "title": "Collect Logon Session logs from Cybereason." + }, + { + "dataset": "poll_malop", + "index_pattern": "logs-cybereason.poll_malop-*", + "title": "Collect Poll Malop logs from Cybereason." + }, + { + "dataset": "suspicions_process", + "index_pattern": "logs-cybereason.suspicions_process-*", + "title": "Collect Suspicions Process logs from Cybereason." + }, + { + "dataset": "malop_process", + "index_pattern": "logs-cybereason.malop_process-*", + "title": "Collect Malop Process logs from Cybereason." + }, + { + "dataset": "malop_connection", + "index_pattern": "logs-cybereason.malop_connection-*", + "title": "Collect Malop Connection logs from Cybereason." + }, + { + "dataset": "malware", + "index_pattern": "logs-cybereason.malware-*", + "title": "Collect Malware logs from Cybereason." + } + ], + "elser_embedding": "Cybereason - Collect logs from Cybereason with Elastic Agent. - Collect Logon Session logs from Cybereason. Collect Poll Malop logs from Cybereason. Collect Suspicions Process logs from Cybereason. Collect Malop Process logs from Cybereason. Collect Malop Connection logs from Cybereason. Collect Malware logs from Cybereason." + }, + { + "title": "Kafka", + "id": "kafka", + "description": "Collect logs and metrics from Kafka servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "broker", + "index_pattern": "logs-kafka.broker-*", + "title": "Kafka broker metrics" + }, + { + "dataset": "consumergroup", + "index_pattern": "logs-kafka.consumergroup-*", + "title": "Kafka consumergroup metrics" + }, + { + "dataset": "partition", + "index_pattern": "logs-kafka.partition-*", + "title": "Kafka partition metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-kafka.log-*", + "title": "Kafka log logs" + } + ], + "elser_embedding": "Kafka - Collect logs and metrics from Kafka servers with Elastic Agent. - Kafka broker metrics Kafka consumergroup metrics Kafka partition metrics Kafka log logs" + }, + { + "title": "Sophos Central", + "id": "sophos_central", + "description": "This Elastic integration collects logs from Sophos Central with Elastic Agent.", + "data_streams": [ + { + "dataset": "alert", + "index_pattern": "logs-sophos_central.alert-*", + "title": "Collect Sophos Central SIEM Alert logs" + }, + { + "dataset": "event", + "index_pattern": "logs-sophos_central.event-*", + "title": "Collect Sophos Central SIEM Events logs" + } + ], + "elser_embedding": "Sophos Central - This Elastic integration collects logs from Sophos Central with Elastic Agent. - Collect Sophos Central SIEM Alert logs Collect Sophos Central SIEM Events logs" + }, + { + "title": "PostgreSQL", + "id": "postgresql", + "description": "Collect logs and metrics from PostgreSQL servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "bgwriter", + "index_pattern": "logs-postgresql.bgwriter-*", + "title": "PostgreSQL bgwriter metrics" + }, + { + "dataset": "database", + "index_pattern": "logs-postgresql.database-*", + "title": "PostgreSQL database metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-postgresql.log-*", + "title": "PostgreSQL logs" + }, + { + "dataset": "statement", + "index_pattern": "logs-postgresql.statement-*", + "title": "PostgreSQL statement metrics" + }, + { + "dataset": "activity", + "index_pattern": "logs-postgresql.activity-*", + "title": "PostgreSQL activity metrics" + } + ], + "elser_embedding": "PostgreSQL - Collect logs and metrics from PostgreSQL servers with Elastic Agent. - PostgreSQL bgwriter metrics PostgreSQL database metrics PostgreSQL logs PostgreSQL statement metrics PostgreSQL activity metrics" + }, + { + "title": "Corelight", + "id": "corelight", + "description": "Collect logs from Corelight with Elastic Agent.", + "data_streams": [], + "elser_embedding": "Corelight - Collect logs from Corelight with Elastic Agent. - " + }, + { + "title": "Threat Intelligence Utilities", + "id": "ti_util", + "description": "Prebuilt Threat Intelligence dashboard for Elastic Security", + "data_streams": [], + "elser_embedding": "Threat Intelligence Utilities - Prebuilt Threat Intelligence dashboard for Elastic Security - " + }, + { + "title": "Imperva Cloud WAF", + "id": "imperva_cloud_waf", + "description": "Collect logs from Imperva Cloud WAF with Elastic Agent.", + "data_streams": [ + { + "dataset": "event", + "index_pattern": "logs-imperva_cloud_waf.event-*", + "title": "Collect Imperva Cloud WAF Events" + } + ], + "elser_embedding": "Imperva Cloud WAF - Collect logs from Imperva Cloud WAF with Elastic Agent. - Collect Imperva Cloud WAF Events" + }, + { + "title": "File Integrity Monitoring", + "id": "fim", + "description": "The File Integrity Monitoring integration reports filesystem changes in real time.", + "data_streams": [ + { + "dataset": "event", + "index_pattern": "logs-fim.event-*", + "title": "Filesystem events" + } + ], + "elser_embedding": "File Integrity Monitoring - The File Integrity Monitoring integration reports filesystem changes in real time. - Filesystem events" + }, + { + "title": "Custom Websocket logs", + "id": "websocket", + "description": "Collect custom events from a socket server with Elastic agent.", + "data_streams": [], + "elser_embedding": "Custom Websocket logs - Collect custom events from a socket server with Elastic agent. - " + }, + { + "title": "SpyCloud Enterprise Protection", + "id": "spycloud", + "description": "Collect data from SpyCloud Enterprise Protection with Elastic Agent.", + "data_streams": [ + { + "dataset": "compass", + "index_pattern": "logs-spycloud.compass-*", + "title": "Collect Compass logs from SpyCloud Enterprise Protection." + }, + { + "dataset": "breach_record", + "index_pattern": "logs-spycloud.breach_record-*", + "title": "Collect Breach Record logs from SpyCloud Enterprise Protection." + }, + { + "dataset": "breach_catalog", + "index_pattern": "logs-spycloud.breach_catalog-*", + "title": "Collect Breach Catalog logs from SpyCloud Enterprise Protection." + } + ], + "elser_embedding": "SpyCloud Enterprise Protection - Collect data from SpyCloud Enterprise Protection with Elastic Agent. - Collect Compass logs from SpyCloud Enterprise Protection. Collect Breach Record logs from SpyCloud Enterprise Protection. Collect Breach Catalog logs from SpyCloud Enterprise Protection." + }, + { + "title": "Canva", + "id": "canva", + "description": "Collect logs from Canva with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-canva.audit-*", + "title": "Collect Audit Logs from Canva" + } + ], + "elser_embedding": "Canva - Collect logs from Canva with Elastic Agent. - Collect Audit Logs from Canva" + }, + { + "title": "Microsoft Office 365", + "id": "o365", + "description": "Collect logs from Microsoft Office 365 with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-o365.audit-*", + "title": "Microsoft Office 365 audit logs" + } + ], + "elser_embedding": "Microsoft Office 365 - Collect logs from Microsoft Office 365 with Elastic Agent. - Microsoft Office 365 audit logs" + }, + { + "title": "AWS", + "id": "aws", + "description": "Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.", + "data_streams": [ + { + "dataset": "ec2_metrics", + "index_pattern": "logs-aws.ec2_metrics-*", + "title": "AWS EC2 metrics" + }, + { + "dataset": "apigateway_metrics", + "index_pattern": "logs-aws.apigateway_metrics-*", + "title": "AWS API Gateway metrics" + }, + { + "dataset": "ec2_logs", + "index_pattern": "logs-aws.ec2_logs-*", + "title": "AWS EC2 logs" + }, + { + "dataset": "cloudwatch_logs", + "index_pattern": "logs-aws.cloudwatch_logs-*", + "title": "AWS CloudWatch logs" + }, + { + "dataset": "billing", + "index_pattern": "logs-aws.billing-*", + "title": "AWS Billing Metrics" + }, + { + "dataset": "ebs", + "index_pattern": "logs-aws.ebs-*", + "title": "AWS EBS metrics" + }, + { + "dataset": "awshealth", + "index_pattern": "logs-aws.awshealth-*", + "title": "AWS Health" + }, + { + "dataset": "transitgateway", + "index_pattern": "logs-aws.transitgateway-*", + "title": "AWS Transit Gateway metrics" + }, + { + "dataset": "cloudtrail", + "index_pattern": "logs-aws.cloudtrail-*", + "title": "AWS CloudTrail Logs" + }, + { + "dataset": "vpn", + "index_pattern": "logs-aws.vpn-*", + "title": "AWS VPN metrics" + }, + { + "dataset": "sns", + "index_pattern": "logs-aws.sns-*", + "title": "AWS SNS metrics" + }, + { + "dataset": "firewall_metrics", + "index_pattern": "logs-aws.firewall_metrics-*", + "title": "AWS Network Firewall metrics" + }, + { + "dataset": "waf", + "index_pattern": "logs-aws.waf-*", + "title": "AWS WAF logs" + }, + { + "dataset": "emr_metrics", + "index_pattern": "logs-aws.emr_metrics-*", + "title": "AWS EMR metrics" + }, + { + "dataset": "firewall_logs", + "index_pattern": "logs-aws.firewall_logs-*", + "title": "AWS Network Firewall logs" + }, + { + "dataset": "lambda", + "index_pattern": "logs-aws.lambda-*", + "title": "AWS Lambda metrics" + }, + { + "dataset": "securityhub_insights", + "index_pattern": "logs-aws.securityhub_insights-*", + "title": "Collect AWS Security Hub Insights logs from AWS" + }, + { + "dataset": "redshift", + "index_pattern": "logs-aws.redshift-*", + "title": "Amazon Redshift metrics" + }, + { + "dataset": "inspector", + "index_pattern": "logs-aws.inspector-*", + "title": "Collect AWS Inspector logs from AWS" + }, + { + "dataset": "route53_resolver_logs", + "index_pattern": "logs-aws.route53_resolver_logs-*", + "title": "AWS Route 53 Resolver Query Logs" + }, + { + "dataset": "emr_logs", + "index_pattern": "logs-aws.emr_logs-*", + "title": "AWS EMR logs" + }, + { + "dataset": "elb_metrics", + "index_pattern": "logs-aws.elb_metrics-*", + "title": "AWS ELB metrics" + }, + { + "dataset": "s3access", + "index_pattern": "logs-aws.s3access-*", + "title": "AWS s3access logs" + }, + { + "dataset": "securityhub_findings", + "index_pattern": "logs-aws.securityhub_findings-*", + "title": "Collect AWS Security Hub Findings logs from AWS" + }, + { + "dataset": "vpcflow", + "index_pattern": "logs-aws.vpcflow-*", + "title": "AWS vpcflow logs" + }, + { + "dataset": "elb_logs", + "index_pattern": "logs-aws.elb_logs-*", + "title": "AWS ELB logs" + }, + { + "dataset": "kafka_metrics", + "index_pattern": "logs-aws.kafka_metrics-*", + "title": "AWS Kafka metrics" + }, + { + "dataset": "kinesis", + "index_pattern": "logs-aws.kinesis-*", + "title": "AWS Kinesis Data Stream metrics" + }, + { + "dataset": "cloudwatch_metrics", + "index_pattern": "logs-aws.cloudwatch_metrics-*", + "title": "AWS CloudWatch metrics" + }, + { + "dataset": "s3_daily_storage", + "index_pattern": "logs-aws.s3_daily_storage-*", + "title": "AWS S3 daily storage metrics" + }, + { + "dataset": "guardduty", + "index_pattern": "logs-aws.guardduty-*", + "title": "Collect Amazon GuardDuty Findings logs from AWS" + }, + { + "dataset": "rds", + "index_pattern": "logs-aws.rds-*", + "title": "AWS RDS metrics" + }, + { + "dataset": "ecs_metrics", + "index_pattern": "logs-aws.ecs_metrics-*", + "title": "AWS ECS metrics" + }, + { + "dataset": "s3_storage_lens", + "index_pattern": "logs-aws.s3_storage_lens-*", + "title": "AWS S3 Storage Lens metrics" + }, + { + "dataset": "route53_public_logs", + "index_pattern": "logs-aws.route53_public_logs-*", + "title": "AWS Route 53 Public Zone Logs" + }, + { + "dataset": "cloudfront_logs", + "index_pattern": "logs-aws.cloudfront_logs-*", + "title": "AWS CloudFront logs" + }, + { + "dataset": "usage", + "index_pattern": "logs-aws.usage-*", + "title": "AWS usage metrics" + }, + { + "dataset": "dynamodb", + "index_pattern": "logs-aws.dynamodb-*", + "title": "AWS DynamoDB metrics" + }, + { + "dataset": "apigateway_logs", + "index_pattern": "logs-aws.apigateway_logs-*", + "title": "AWS API Gateway logs" + }, + { + "dataset": "s3_request", + "index_pattern": "logs-aws.s3_request-*", + "title": "AWS S3 request metrics" + }, + { + "dataset": "sqs", + "index_pattern": "logs-aws.sqs-*", + "title": "AWS SQS metrics" + }, + { + "dataset": "natgateway", + "index_pattern": "logs-aws.natgateway-*", + "title": "AWS NAT gateway metrics" + } + ], + "elser_embedding": "AWS - Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. - AWS EC2 metrics AWS API Gateway metrics AWS EC2 logs AWS CloudWatch logs AWS Billing Metrics AWS EBS metrics AWS Health AWS Transit Gateway metrics AWS CloudTrail Logs AWS VPN metrics AWS SNS metrics AWS Network Firewall metrics AWS WAF logs AWS EMR metrics AWS Network Firewall logs AWS Lambda metrics Collect AWS Security Hub Insights logs from AWS Amazon Redshift metrics Collect AWS Inspector logs from AWS AWS Route 53 Resolver Query Logs AWS EMR logs AWS ELB metrics AWS s3access logs Collect AWS Security Hub Findings logs from AWS AWS vpcflow logs AWS ELB logs AWS Kafka metrics AWS Kinesis Data Stream metrics AWS CloudWatch metrics AWS S3 daily storage metrics Collect Amazon GuardDuty Findings logs from AWS AWS RDS metrics AWS ECS metrics AWS S3 Storage Lens metrics AWS Route 53 Public Zone Logs AWS CloudFront logs AWS usage metrics AWS DynamoDB metrics AWS API Gateway logs AWS S3 request metrics AWS SQS metrics AWS NAT gateway metrics" + }, + { + "title": "Nginx Ingress Controller Logs", + "id": "nginx_ingress_controller", + "description": "Collect Nginx Ingress Controller logs.", + "data_streams": [ + { + "dataset": "access", + "index_pattern": "logs-nginx_ingress_controller.access-*", + "title": "Nginx Ingress Controller access logs" + }, + { + "dataset": "error", + "index_pattern": "logs-nginx_ingress_controller.error-*", + "title": "Nginx Ingress Controller error logs" + } + ], + "elser_embedding": "Nginx Ingress Controller Logs - Collect Nginx Ingress Controller logs. - Nginx Ingress Controller access logs Nginx Ingress Controller error logs" + }, + { + "title": "Cisco Umbrella", + "id": "cisco_umbrella", + "description": "Collect logs from Cisco Umbrella with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_umbrella.log-*", + "title": "Cisco Umbrella logs" + } + ], + "elser_embedding": "Cisco Umbrella - Collect logs from Cisco Umbrella with Elastic Agent. - Cisco Umbrella logs" + }, + { + "title": "Cloudflare Logpush", + "id": "cloudflare_logpush", + "description": "Collect and parse logs from Cloudflare API with Elastic Agent.", + "data_streams": [ + { + "dataset": "http_request", + "index_pattern": "logs-cloudflare_logpush.http_request-*", + "title": "Collect HTTP Request logs from Cloudflare" + }, + { + "dataset": "access_request", + "index_pattern": "logs-cloudflare_logpush.access_request-*", + "title": "Collect Access Request logs from Cloudflare" + }, + { + "dataset": "network_session", + "index_pattern": "logs-cloudflare_logpush.network_session-*", + "title": "Collect Zero Trust Network Session logs from Cloudflare" + }, + { + "dataset": "spectrum_event", + "index_pattern": "logs-cloudflare_logpush.spectrum_event-*", + "title": "Collect Spectrum Event logs from Cloudflare" + }, + { + "dataset": "gateway_http", + "index_pattern": "logs-cloudflare_logpush.gateway_http-*", + "title": "Collect Gateway HTTP logs from Cloudflare" + }, + { + "dataset": "casb", + "index_pattern": "logs-cloudflare_logpush.casb-*", + "title": "Collect CASB Findings logs from Cloudflare" + }, + { + "dataset": "magic_ids", + "index_pattern": "logs-cloudflare_logpush.magic_ids-*", + "title": "Collect Magic IDS logs from Cloudflare" + }, + { + "dataset": "workers_trace", + "index_pattern": "logs-cloudflare_logpush.workers_trace-*", + "title": "Collect Workers Trace Event logs from Cloudflare" + }, + { + "dataset": "audit", + "index_pattern": "logs-cloudflare_logpush.audit-*", + "title": "Collect Audit logs from Cloudflare" + }, + { + "dataset": "nel_report", + "index_pattern": "logs-cloudflare_logpush.nel_report-*", + "title": "Collect NEL Report logs from Cloudflare" + }, + { + "dataset": "network_analytics", + "index_pattern": "logs-cloudflare_logpush.network_analytics-*", + "title": "Collect Network Analytics logs from Cloudflare" + }, + { + "dataset": "dns", + "index_pattern": "logs-cloudflare_logpush.dns-*", + "title": "Collect DNS logs from Cloudflare" + }, + { + "dataset": "device_posture", + "index_pattern": "logs-cloudflare_logpush.device_posture-*", + "title": "Collect Device Posture Results logs from Cloudflare" + }, + { + "dataset": "gateway_dns", + "index_pattern": "logs-cloudflare_logpush.gateway_dns-*", + "title": "Collect Gateway DNS logs from Cloudflare" + }, + { + "dataset": "dns_firewall", + "index_pattern": "logs-cloudflare_logpush.dns_firewall-*", + "title": "Collect DNS Firewall logs from Cloudflare" + }, + { + "dataset": "sinkhole_http", + "index_pattern": "logs-cloudflare_logpush.sinkhole_http-*", + "title": "Collect Sinkhole HTTP logs from Cloudflare" + }, + { + "dataset": "firewall_event", + "index_pattern": "logs-cloudflare_logpush.firewall_event-*", + "title": "Collect Firewall Event logs from Cloudflare" + }, + { + "dataset": "gateway_network", + "index_pattern": "logs-cloudflare_logpush.gateway_network-*", + "title": "Collect Gateway Network logs from Cloudflare" + } + ], + "elser_embedding": "Cloudflare Logpush - Collect and parse logs from Cloudflare API with Elastic Agent. - Collect HTTP Request logs from Cloudflare Collect Access Request logs from Cloudflare Collect Zero Trust Network Session logs from Cloudflare Collect Spectrum Event logs from Cloudflare Collect Gateway HTTP logs from Cloudflare Collect CASB Findings logs from Cloudflare Collect Magic IDS logs from Cloudflare Collect Workers Trace Event logs from Cloudflare Collect Audit logs from Cloudflare Collect NEL Report logs from Cloudflare Collect Network Analytics logs from Cloudflare Collect DNS logs from Cloudflare Collect Device Posture Results logs from Cloudflare Collect Gateway DNS logs from Cloudflare Collect DNS Firewall logs from Cloudflare Collect Sinkhole HTTP logs from Cloudflare Collect Firewall Event logs from Cloudflare Collect Gateway Network logs from Cloudflare" + }, + { + "title": "Microsoft DHCP", + "id": "microsoft_dhcp", + "description": "Collect logs from Microsoft DHCP with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-microsoft_dhcp.log-*", + "title": "Microsoft DHCP Logs" + } + ], + "elser_embedding": "Microsoft DHCP - Collect logs from Microsoft DHCP with Elastic Agent. - Microsoft DHCP Logs" + }, + { + "title": "Netskope", + "id": "netskope", + "description": "Collect logs from Netskope with Elastic Agent.", + "data_streams": [ + { + "dataset": "alerts", + "index_pattern": "logs-netskope.alerts-*", + "title": "Alerts" + }, + { + "dataset": "events", + "index_pattern": "logs-netskope.events-*", + "title": "Events" + } + ], + "elser_embedding": "Netskope - Collect logs from Netskope with Elastic Agent. - Alerts Events" + }, + { + "title": "Suricata", + "id": "suricata", + "description": "Collect logs from Suricata with Elastic Agent.", + "data_streams": [ + { + "dataset": "eve", + "index_pattern": "logs-suricata.eve-*", + "title": "Suricata eve logs" + } + ], + "elser_embedding": "Suricata - Collect logs from Suricata with Elastic Agent. - Suricata eve logs" + }, + { + "title": "Custom Azure Logs", + "id": "azure_logs", + "description": "Collect log events from Azure Event Hubs with Elastic Agent", + "data_streams": [], + "elser_embedding": "Custom Azure Logs - Collect log events from Azure Event Hubs with Elastic Agent - " + }, + { + "title": "Zscaler Private Access", + "id": "zscaler_zpa", + "description": "Collect logs from Zscaler Private Access (ZPA) with Elastic Agent.", + "data_streams": [ + { + "dataset": "browser_access", + "index_pattern": "logs-zscaler_zpa.browser_access-*", + "title": "Browser Access Logs" + }, + { + "dataset": "app_connector_status", + "index_pattern": "logs-zscaler_zpa.app_connector_status-*", + "title": "App Connector Status Logs" + }, + { + "dataset": "user_status", + "index_pattern": "logs-zscaler_zpa.user_status-*", + "title": "User Status Logs" + }, + { + "dataset": "audit", + "index_pattern": "logs-zscaler_zpa.audit-*", + "title": "Audit Logs" + }, + { + "dataset": "user_activity", + "index_pattern": "logs-zscaler_zpa.user_activity-*", + "title": "User Activity Logs" + } + ], + "elser_embedding": "Zscaler Private Access - Collect logs from Zscaler Private Access (ZPA) with Elastic Agent. - Browser Access Logs App Connector Status Logs User Status Logs Audit Logs User Activity Logs" + }, + { + "title": "Cisco Aironet", + "id": "cisco_aironet", + "description": "Integration for Cisco Aironet WLC Logs", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_aironet.log-*", + "title": "Cisco Aironet logs" + } + ], + "elser_embedding": "Cisco Aironet - Integration for Cisco Aironet WLC Logs - Cisco Aironet logs" + }, + { + "title": "Collective Intelligence Framework v3", + "id": "ti_cif3", + "description": "Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent.", + "data_streams": [ + { + "dataset": "feed", + "index_pattern": "logs-ti_cif3.feed-*", + "title": "CIFv3 Feed" + } + ], + "elser_embedding": "Collective Intelligence Framework v3 - Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent. - CIFv3 Feed" + }, + { + "title": "Bitwarden", + "id": "bitwarden", + "description": "Collect logs from Bitwarden with Elastic Agent.", + "data_streams": [ + { + "dataset": "group", + "index_pattern": "logs-bitwarden.group-*", + "title": "Collect Group logs from Bitwarden" + }, + { + "dataset": "policy", + "index_pattern": "logs-bitwarden.policy-*", + "title": "Collect Policy logs from Bitwarden" + }, + { + "dataset": "member", + "index_pattern": "logs-bitwarden.member-*", + "title": "Collect Member logs from Bitwarden" + }, + { + "dataset": "event", + "index_pattern": "logs-bitwarden.event-*", + "title": "Collect Event logs from Bitwarden" + }, + { + "dataset": "collection", + "index_pattern": "logs-bitwarden.collection-*", + "title": "Collect Collection logs from Bitwarden" + } + ], + "elser_embedding": "Bitwarden - Collect logs from Bitwarden with Elastic Agent. - Collect Group logs from Bitwarden Collect Policy logs from Bitwarden Collect Member logs from Bitwarden Collect Event logs from Bitwarden Collect Collection logs from Bitwarden" + }, + { + "title": "Kibana", + "id": "kibana", + "description": "Collect logs and metrics from Kibana with Elastic Agent.", + "data_streams": [ + { + "dataset": "node_actions", + "index_pattern": "logs-kibana.node_actions-*", + "title": "Kibana node_actions metrics" + }, + { + "dataset": "stats", + "index_pattern": "logs-kibana.stats-*", + "title": "Kibana stats metrics" + }, + { + "dataset": "audit", + "index_pattern": "logs-kibana.audit-*", + "title": "kibana audit logs" + }, + { + "dataset": "task_manager_metrics", + "index_pattern": "logs-kibana.task_manager_metrics-*", + "title": "Kibana task manager metrics" + }, + { + "dataset": "cluster_rules", + "index_pattern": "logs-kibana.cluster_rules-*", + "title": "Kibana cluster_rules metrics" + }, + { + "dataset": "background_task_utilization", + "index_pattern": "logs-kibana.background_task_utilization-*", + "title": "Kibana background task utilization metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-kibana.log-*", + "title": "Kibana logs" + }, + { + "dataset": "node_rules", + "index_pattern": "logs-kibana.node_rules-*", + "title": "Kibana node_rules metrics" + }, + { + "dataset": "status", + "index_pattern": "logs-kibana.status-*", + "title": "Kibana status metrics" + }, + { + "dataset": "cluster_actions", + "index_pattern": "logs-kibana.cluster_actions-*", + "title": "Kibana cluster_actions metrics" + } + ], + "elser_embedding": "Kibana - Collect logs and metrics from Kibana with Elastic Agent. - Kibana node_actions metrics Kibana stats metrics kibana audit logs Kibana task manager metrics Kibana cluster_rules metrics Kibana background task utilization metrics Kibana logs Kibana node_rules metrics Kibana status metrics Kibana cluster_actions metrics" + }, + { + "title": "Digital Guardian", + "id": "digital_guardian", + "description": "Collect logs from Digital Guardian with Elastic Agent.", + "data_streams": [ + { + "dataset": "arc", + "index_pattern": "logs-digital_guardian.arc-*", + "title": "Digital Guardian ARC Logs" + } + ], + "elser_embedding": "Digital Guardian - Collect logs from Digital Guardian with Elastic Agent. - Digital Guardian ARC Logs" + }, + { + "title": "MySQL", + "id": "mysql", + "description": "Collect logs and metrics from MySQL servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "performance", + "index_pattern": "logs-mysql.performance-*", + "title": "MySQL performance metrics" + }, + { + "dataset": "error", + "index_pattern": "logs-mysql.error-*", + "title": "MySQL error logs" + }, + { + "dataset": "slowlog", + "index_pattern": "logs-mysql.slowlog-*", + "title": "MySQL slowlog logs" + }, + { + "dataset": "galera_status", + "index_pattern": "logs-mysql.galera_status-*", + "title": "MySQL galera_status metrics" + }, + { + "dataset": "replica_status", + "index_pattern": "logs-mysql.replica_status-*", + "title": "Collect replica status metrics from mysql" + }, + { + "dataset": "status", + "index_pattern": "logs-mysql.status-*", + "title": "MySQL status metrics" + } + ], + "elser_embedding": "MySQL - Collect logs and metrics from MySQL servers with Elastic Agent. - MySQL performance metrics MySQL error logs MySQL slowlog logs MySQL galera_status metrics Collect replica status metrics from mysql MySQL status metrics" + }, + { + "title": "CISA Known Exploited Vulnerabilities", + "id": "cisa_kevs", + "description": "This package allows the ingest of known exploited vulnerabilities according to the Cybersecurity and Infrastructure Security Agency of the United States of America. This information could be used to enrich or track exisiting vulnerabilities that are known to be exploited in the wild.", + "data_streams": [ + { + "dataset": "vulnerability", + "index_pattern": "logs-cisa_kevs.vulnerability-*", + "title": "CISA Known Exploited Vulnerabilities List" + } + ], + "elser_embedding": "CISA Known Exploited Vulnerabilities - This package allows the ingest of known exploited vulnerabilities according to the Cybersecurity and Infrastructure Security Agency of the United States of America. This information could be used to enrich or track exisiting vulnerabilities that are known to be exploited in the wild. - CISA Known Exploited Vulnerabilities List" + }, + { + "title": "StormShield SNS", + "id": "stormshield", + "description": "Stormshield SNS integration.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-stormshield.log-*", + "title": "StormShield SNS logs" + } + ], + "elser_embedding": "StormShield SNS - Stormshield SNS integration. - StormShield SNS logs" + }, + { + "title": "1Password", + "id": "1password", + "description": "Collect logs from 1Password with Elastic Agent.", + "data_streams": [ + { + "dataset": "item_usages", + "index_pattern": "logs-1password.item_usages-*", + "title": "Collect 1Password item usages events" + }, + { + "dataset": "signin_attempts", + "index_pattern": "logs-1password.signin_attempts-*", + "title": "1Password sign-in attempt events" + }, + { + "dataset": "audit_events", + "index_pattern": "logs-1password.audit_events-*", + "title": "Collect 1Password audit events" + } + ], + "elser_embedding": "1Password - Collect logs from 1Password with Elastic Agent. - Collect 1Password item usages events 1Password sign-in attempt events Collect 1Password audit events" + }, + { + "title": "Azure Network Watcher NSG", + "id": "azure_network_watcher_nsg", + "description": "Collect logs from Azure Network Watcher NSG with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-azure_network_watcher_nsg.log-*", + "title": "Collect NSG logs from Azure Network Watcher" + } + ], + "elser_embedding": "Azure Network Watcher NSG - Collect logs from Azure Network Watcher NSG with Elastic Agent. - Collect NSG logs from Azure Network Watcher" + }, + { + "title": "WebSphere Application Server", + "id": "websphere_application_server", + "description": "Collects metrics from IBM WebSphere Application Server with Elastic Agent.", + "data_streams": [ + { + "dataset": "threadpool", + "index_pattern": "logs-websphere_application_server.threadpool-*", + "title": "ThreadPool metrics" + }, + { + "dataset": "servlet", + "index_pattern": "logs-websphere_application_server.servlet-*", + "title": "Servlet metrics" + }, + { + "dataset": "session_manager", + "index_pattern": "logs-websphere_application_server.session_manager-*", + "title": "Session Manager metrics" + }, + { + "dataset": "jdbc", + "index_pattern": "logs-websphere_application_server.jdbc-*", + "title": "JDBC metrics" + } + ], + "elser_embedding": "WebSphere Application Server - Collects metrics from IBM WebSphere Application Server with Elastic Agent. - ThreadPool metrics Servlet metrics Session Manager metrics JDBC metrics" + }, + { + "title": "GitLab", + "id": "gitlab", + "description": "Collect logs from GitLab with Elastic Agent.", + "data_streams": [ + { + "dataset": "sidekiq", + "index_pattern": "logs-gitlab.sidekiq-*", + "title": "GitLab Sidekiq logs" + }, + { + "dataset": "audit", + "index_pattern": "logs-gitlab.audit-*", + "title": "Audit" + }, + { + "dataset": "auth", + "index_pattern": "logs-gitlab.auth-*", + "title": "Auth" + }, + { + "dataset": "application", + "index_pattern": "logs-gitlab.application-*", + "title": "Application" + }, + { + "dataset": "pages", + "index_pattern": "logs-gitlab.pages-*", + "title": "GitLab Pages logs" + }, + { + "dataset": "production", + "index_pattern": "logs-gitlab.production-*", + "title": "GitLab Production logs" + }, + { + "dataset": "api", + "index_pattern": "logs-gitlab.api-*", + "title": "GitLab API logs" + } + ], + "elser_embedding": "GitLab - Collect logs from GitLab with Elastic Agent. - GitLab Sidekiq logs Audit Auth Application GitLab Pages logs GitLab Production logs GitLab API logs" + }, + { + "title": "Custom Logs", + "id": "log", + "description": "Collect custom logs with Elastic Agent.", + "data_streams": [], + "elser_embedding": "Custom Logs - Collect custom logs with Elastic Agent. - " + }, + { + "title": "Tenable Vulnerability Management", + "id": "tenable_io", + "description": "Collect logs from Tenable Vulnerability Management with Elastic Agent.", + "data_streams": [ + { + "dataset": "plugin", + "index_pattern": "logs-tenable_io.plugin-*", + "title": "Collect Plugin logs from Tenable Vulnerability Management" + }, + { + "dataset": "vulnerability", + "index_pattern": "logs-tenable_io.vulnerability-*", + "title": "Collect Vulnerability logs from Tenable Vulnerability Management" + }, + { + "dataset": "scan", + "index_pattern": "logs-tenable_io.scan-*", + "title": "Collect Scan logs from Tenable Vulnerability Management" + }, + { + "dataset": "asset", + "index_pattern": "logs-tenable_io.asset-*", + "title": "Collect Asset data from Tenable Vulnerability Management" + } + ], + "elser_embedding": "Tenable Vulnerability Management - Collect logs from Tenable Vulnerability Management with Elastic Agent. - Collect Plugin logs from Tenable Vulnerability Management Collect Vulnerability logs from Tenable Vulnerability Management Collect Scan logs from Tenable Vulnerability Management Collect Asset data from Tenable Vulnerability Management" + }, + { + "title": "Falco", + "id": "falco", + "description": "Collect events and alerts from Falco using Elastic Agent", + "data_streams": [ + { + "dataset": "alerts", + "index_pattern": "logs-falco.alerts-*", + "title": "Falco Alerts" + } + ], + "elser_embedding": "Falco - Collect events and alerts from Falco using Elastic Agent - Falco Alerts" + }, + { + "title": "Docker", + "id": "docker", + "description": "Collect metrics and logs from Docker instances with Elastic Agent.", + "data_streams": [ + { + "dataset": "memory", + "index_pattern": "logs-docker.memory-*", + "title": "Docker memory metrics" + }, + { + "dataset": "network", + "index_pattern": "logs-docker.network-*", + "title": "Docker network metrics" + }, + { + "dataset": "image", + "index_pattern": "logs-docker.image-*", + "title": "Docker image metrics" + }, + { + "dataset": "container", + "index_pattern": "logs-docker.container-*", + "title": "Docker container metrics" + }, + { + "dataset": "info", + "index_pattern": "logs-docker.info-*", + "title": "Docker info metrics" + }, + { + "dataset": "container_logs", + "index_pattern": "logs-docker.container_logs-*", + "title": "Docker container logs" + }, + { + "dataset": "diskio", + "index_pattern": "logs-docker.diskio-*", + "title": "Docker diskio metrics" + }, + { + "dataset": "event", + "index_pattern": "logs-docker.event-*", + "title": "Docker event metrics" + }, + { + "dataset": "healthcheck", + "index_pattern": "logs-docker.healthcheck-*", + "title": "Docker healthcheck metrics" + }, + { + "dataset": "cpu", + "index_pattern": "logs-docker.cpu-*", + "title": "Docker cpu metrics" + } + ], + "elser_embedding": "Docker - Collect metrics and logs from Docker instances with Elastic Agent. - Docker memory metrics Docker network metrics Docker image metrics Docker container metrics Docker info metrics Docker container logs Docker diskio metrics Docker event metrics Docker healthcheck metrics Docker cpu metrics" + }, + { + "title": "Elastic Synthetics Dashboards", + "id": "synthetics_dashboards", + "description": "Explore Elastic Synthetics metrics with these dashboards.", + "data_streams": [], + "elser_embedding": "Elastic Synthetics Dashboards - Explore Elastic Synthetics metrics with these dashboards. - " + }, + { + "title": "Azure Billing Metrics", + "id": "azure_billing", + "description": "Collect billing metrics with Elastic Agent.", + "data_streams": [ + { + "dataset": "billing", + "index_pattern": "logs-azure_billing.billing-*", + "title": "Azure Billing Metrics" + } + ], + "elser_embedding": "Azure Billing Metrics - Collect billing metrics with Elastic Agent. - Azure Billing Metrics" + }, + { + "title": "Couchbase", + "id": "couchbase", + "description": "Collect metrics from Couchbase databases with Elastic Agent.", + "data_streams": [ + { + "dataset": "cache", + "index_pattern": "logs-couchbase.cache-*", + "title": "Couchbase Sync Gateway Cache metrics." + }, + { + "dataset": "cbl_replication", + "index_pattern": "logs-couchbase.cbl_replication-*", + "title": "Couchbase Sync Gateway CBL Replications metrics" + }, + { + "dataset": "query_index", + "index_pattern": "logs-couchbase.query_index-*", + "title": "Query Index metrics" + }, + { + "dataset": "xdcr", + "index_pattern": "logs-couchbase.xdcr-*", + "title": "Couchbase XDCR Metrics" + }, + { + "dataset": "miscellaneous", + "index_pattern": "logs-couchbase.miscellaneous-*", + "title": "Couchbase Sync Gateway Delta Sync, Import, Security and GSI views metrics." + }, + { + "dataset": "node", + "index_pattern": "logs-couchbase.node-*", + "title": "Node metrics" + }, + { + "dataset": "resource", + "index_pattern": "logs-couchbase.resource-*", + "title": "Couchbase Sync Gateway Resource Utilization metrics." + }, + { + "dataset": "bucket", + "index_pattern": "logs-couchbase.bucket-*", + "title": "Couchbase bucket metrics" + }, + { + "dataset": "cluster", + "index_pattern": "logs-couchbase.cluster-*", + "title": "Couchbase cluster metrics" + }, + { + "dataset": "database_stats", + "index_pattern": "logs-couchbase.database_stats-*", + "title": "Couchbase Sync Gateway Database Stats metrics." + } + ], + "elser_embedding": "Couchbase - Collect metrics from Couchbase databases with Elastic Agent. - Couchbase Sync Gateway Cache metrics. Couchbase Sync Gateway CBL Replications metrics Query Index metrics Couchbase XDCR Metrics Couchbase Sync Gateway Delta Sync, Import, Security and GSI views metrics. Node metrics Couchbase Sync Gateway Resource Utilization metrics. Couchbase bucket metrics Couchbase cluster metrics Couchbase Sync Gateway Database Stats metrics." + }, + { + "title": "VMware Carbon Black Cloud", + "id": "carbon_black_cloud", + "description": "Collect logs from VMWare Carbon Black Cloud with Elastic Agent.", + "data_streams": [ + { + "dataset": "watchlist_hit", + "index_pattern": "logs-carbon_black_cloud.watchlist_hit-*", + "title": "Watchlist Hit" + }, + { + "dataset": "asset_vulnerability_summary", + "index_pattern": "logs-carbon_black_cloud.asset_vulnerability_summary-*", + "title": "Asset Vulnerability Summary" + }, + { + "dataset": "endpoint_event", + "index_pattern": "logs-carbon_black_cloud.endpoint_event-*", + "title": "Endpoint Event" + }, + { + "dataset": "audit", + "index_pattern": "logs-carbon_black_cloud.audit-*", + "title": "Audit" + }, + { + "dataset": "alert", + "index_pattern": "logs-carbon_black_cloud.alert-*", + "title": "Alert" + }, + { + "dataset": "alert_v7", + "index_pattern": "logs-carbon_black_cloud.alert_v7-*", + "title": "Alert V7" + } + ], + "elser_embedding": "VMware Carbon Black Cloud - Collect logs from VMWare Carbon Black Cloud with Elastic Agent. - Watchlist Hit Asset Vulnerability Summary Endpoint Event Audit Alert Alert V7" + }, + { + "title": "Universal Profiling Symbolizer", + "id": "profiler_symbolizer", + "description": "Fleet-wide, whole-system, continuous profiling with zero instrumentation.", + "data_streams": [], + "elser_embedding": "Universal Profiling Symbolizer - Fleet-wide, whole-system, continuous profiling with zero instrumentation. - " + }, + { + "title": "Fortinet FortiProxy", + "id": "fortinet_fortiproxy", + "description": "Collect logs from Fortinet FortiProxy with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-fortinet_fortiproxy.log-*", + "title": "Collect logs from Fortinet FortiProxy" + } + ], + "elser_embedding": "Fortinet FortiProxy - Collect logs from Fortinet FortiProxy with Elastic Agent. - Collect logs from Fortinet FortiProxy" + }, + { + "title": "MongoDB Atlas", + "id": "mongodb_atlas", + "description": "This Elastic integration collects logs and metrics from MongoDB Atlas instance.", + "data_streams": [ + { + "dataset": "mongod_database", + "index_pattern": "logs-mongodb_atlas.mongod_database-*", + "title": "Collect Mongod Database logs from MongoDB Atlas" + }, + { + "dataset": "disk", + "index_pattern": "logs-mongodb_atlas.disk-*", + "title": "Collect Disk metrics from MongoDB Atlas" + }, + { + "dataset": "project", + "index_pattern": "logs-mongodb_atlas.project-*", + "title": "Collect Project logs from MongoDB Atlas" + }, + { + "dataset": "process", + "index_pattern": "logs-mongodb_atlas.process-*", + "title": "Collect Process metrics from MongoDB Atlas" + }, + { + "dataset": "alert", + "index_pattern": "logs-mongodb_atlas.alert-*", + "title": "Collect Alert logs from MongoDB Atlas" + }, + { + "dataset": "mongod_audit", + "index_pattern": "logs-mongodb_atlas.mongod_audit-*", + "title": "Collect Mongod Audit logs from MongoDB Atlas" + }, + { + "dataset": "organization", + "index_pattern": "logs-mongodb_atlas.organization-*", + "title": "Collect Organization logs from MongoDB Atlas" + }, + { + "dataset": "hardware", + "index_pattern": "logs-mongodb_atlas.hardware-*", + "title": "Collect Hardware metrics from MongoDB Atlas" + } + ], + "elser_embedding": "MongoDB Atlas - This Elastic integration collects logs and metrics from MongoDB Atlas instance. - Collect Mongod Database logs from MongoDB Atlas Collect Disk metrics from MongoDB Atlas Collect Project logs from MongoDB Atlas Collect Process metrics from MongoDB Atlas Collect Alert logs from MongoDB Atlas Collect Mongod Audit logs from MongoDB Atlas Collect Organization logs from MongoDB Atlas Collect Hardware metrics from MongoDB Atlas" + }, + { + "title": "Zero Networks", + "id": "zeronetworks", + "description": "Zero Networks Logs integration", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-zeronetworks.audit-*", + "title": "Zero Networks Audit Logs" + } + ], + "elser_embedding": "Zero Networks - Zero Networks Logs integration - Zero Networks Audit Logs" + }, + { + "title": "CockroachDB Metrics", + "id": "cockroachdb", + "description": "Collect metrics from CockroachDB servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "status", + "index_pattern": "logs-cockroachdb.status-*", + "title": "Status" + } + ], + "elser_embedding": "CockroachDB Metrics - Collect metrics from CockroachDB servers with Elastic Agent. - Status" + }, + { + "title": "Microsoft Exchange Server", + "id": "microsoft_exchange_server", + "description": "Collect logs from Microsoft Exchange Server with Elastic Agent.", + "data_streams": [ + { + "dataset": "imap4_pop3", + "index_pattern": "logs-microsoft_exchange_server.imap4_pop3-*", + "title": "Exchange Server IMAP4 POP3" + }, + { + "dataset": "httpproxy", + "index_pattern": "logs-microsoft_exchange_server.httpproxy-*", + "title": "Exchange HTTPProxy" + }, + { + "dataset": "smtp", + "index_pattern": "logs-microsoft_exchange_server.smtp-*", + "title": "Exchange SMTP" + }, + { + "dataset": "messagetracking", + "index_pattern": "logs-microsoft_exchange_server.messagetracking-*", + "title": "Exchange Messagetracking" + } + ], + "elser_embedding": "Microsoft Exchange Server - Collect logs from Microsoft Exchange Server with Elastic Agent. - Exchange Server IMAP4 POP3 Exchange HTTPProxy Exchange SMTP Exchange Messagetracking" + }, + { + "title": "Cisco Secure Email Gateway", + "id": "cisco_secure_email_gateway", + "description": "Collect logs from Cisco Secure Email Gateway with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_secure_email_gateway.log-*", + "title": "Cisco Secure Email Gateway logs" + } + ], + "elser_embedding": "Cisco Secure Email Gateway - Collect logs from Cisco Secure Email Gateway with Elastic Agent. - Cisco Secure Email Gateway logs" + }, + { + "title": "Prometheus Input", + "id": "prometheus_input", + "description": "Collects metrics from Prometheus exporter.", + "data_streams": [], + "elser_embedding": "Prometheus Input - Collects metrics from Prometheus exporter. - " + }, + { + "title": "PingOne", + "id": "ping_one", + "description": "Collect logs from PingOne with Elastic-Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-ping_one.audit-*", + "title": "Collect Audit logs from PingOne" + } + ], + "elser_embedding": "PingOne - Collect logs from PingOne with Elastic-Agent. - Collect Audit logs from PingOne" + }, + { + "title": "Squid Proxy", + "id": "squid", + "description": "Collect and parse logs from Squid devices with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-squid.log-*", + "title": "Squid logs" + } + ], + "elser_embedding": "Squid Proxy - Collect and parse logs from Squid devices with Elastic Agent. - Squid logs" + }, + { + "title": "Zoom", + "id": "zoom", + "description": "Collect logs from Zoom with Elastic Agent.", + "data_streams": [ + { + "dataset": "webhook", + "index_pattern": "logs-zoom.webhook-*", + "title": "Zoom webhook logs" + } + ], + "elser_embedding": "Zoom - Collect logs from Zoom with Elastic Agent. - Zoom webhook logs" + }, + { + "title": "Auth0", + "id": "auth0", + "description": "Collect logs from Auth0 with Elastic Agent.", + "data_streams": [ + { + "dataset": "logs", + "index_pattern": "logs-auth0.logs-*", + "title": "Auth0 logs" + } + ], + "elser_embedding": "Auth0 - Collect logs from Auth0 with Elastic Agent. - Auth0 logs" + }, + { + "title": "Tomcat NetWitness Logs", + "id": "tomcat", + "description": "Collect and parse logs from Apache Tomcat servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-tomcat.log-*", + "title": "Apache Tomcat logs" + } + ], + "elser_embedding": "Tomcat NetWitness Logs - Collect and parse logs from Apache Tomcat servers with Elastic Agent. - Apache Tomcat logs" + }, + { + "title": "Auditd Logs", + "id": "auditd", + "description": "Collect logs from Linux audit daemon with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-auditd.log-*", + "title": "Auditd logs" + } + ], + "elser_embedding": "Auditd Logs - Collect logs from Linux audit daemon with Elastic Agent. - Auditd logs" + }, + { + "title": "SQL Input", + "id": "sql", + "description": "Collects Metrics by Quering on SQL Databases", + "data_streams": [], + "elser_embedding": "SQL Input - Collects Metrics by Quering on SQL Databases - " + }, + { + "title": "Azure Frontdoor", + "id": "azure_frontdoor", + "description": "This Elastic integration collects logs from Azure Frontdoor.", + "data_streams": [ + { + "dataset": "access", + "index_pattern": "logs-azure_frontdoor.access-*", + "title": "FrontDoor Access" + }, + { + "dataset": "waf", + "index_pattern": "logs-azure_frontdoor.waf-*", + "title": "FrontDoor WAF" + } + ], + "elser_embedding": "Azure Frontdoor - This Elastic integration collects logs from Azure Frontdoor. - FrontDoor Access FrontDoor WAF" + }, + { + "title": "Amazon Data Firehose", + "id": "awsfirehose", + "description": "Stream logs and metrics from Amazon Data Firehose into Elastic Cloud.", + "data_streams": [ + { + "dataset": "logs", + "index_pattern": "logs-awsfirehose.logs-*", + "title": "Logs from Amazon Data Firehose" + }, + { + "dataset": "metrics", + "index_pattern": "logs-awsfirehose.metrics-*", + "title": "Metrics ingested from Amazon Data Firehose" + } + ], + "elser_embedding": "Amazon Data Firehose - Stream logs and metrics from Amazon Data Firehose into Elastic Cloud. - Logs from Amazon Data Firehose Metrics ingested from Amazon Data Firehose" + }, + { + "title": "Zscaler Internet Access", + "id": "zscaler_zia", + "description": "Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent.", + "data_streams": [ + { + "dataset": "sandbox_report", + "index_pattern": "logs-zscaler_zia.sandbox_report-*", + "title": "Sandbox Report Logs" + }, + { + "dataset": "tunnel", + "index_pattern": "logs-zscaler_zia.tunnel-*", + "title": "Tunnel Logs" + }, + { + "dataset": "audit", + "index_pattern": "logs-zscaler_zia.audit-*", + "title": "Audit Logs" + }, + { + "dataset": "dns", + "index_pattern": "logs-zscaler_zia.dns-*", + "title": "DNS logs" + }, + { + "dataset": "web", + "index_pattern": "logs-zscaler_zia.web-*", + "title": "Web Logs" + }, + { + "dataset": "endpoint_dlp", + "index_pattern": "logs-zscaler_zia.endpoint_dlp-*", + "title": "Endpoint DLP Logs" + }, + { + "dataset": "alerts", + "index_pattern": "logs-zscaler_zia.alerts-*", + "title": "Alerts" + }, + { + "dataset": "firewall", + "index_pattern": "logs-zscaler_zia.firewall-*", + "title": "Firewall Logs" + } + ], + "elser_embedding": "Zscaler Internet Access - Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. - Sandbox Report Logs Tunnel Logs Audit Logs DNS logs Web Logs Endpoint DLP Logs Alerts Firewall Logs" + }, + { + "title": "Broadcom ProxySG", + "id": "proxysg", + "description": "Collect access logs from Broadcom ProxySG with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-proxysg.log-*", + "title": "ProxySG Access Logs" + } + ], + "elser_embedding": "Broadcom ProxySG - Collect access logs from Broadcom ProxySG with Elastic Agent. - ProxySG Access Logs" + }, + { + "title": "Juniper SRX", + "id": "juniper_srx", + "description": "Collect logs from Juniper SRX devices with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-juniper_srx.log-*", + "title": "Juniper SRX logs" + } + ], + "elser_embedding": "Juniper SRX - Collect logs from Juniper SRX devices with Elastic Agent. - Juniper SRX logs" + }, + { + "title": "ServiceNow", + "id": "servicenow", + "description": "Collect logs from ServiceNow with Elastic Agent.", + "data_streams": [ + { + "dataset": "event", + "index_pattern": "logs-servicenow.event-*", + "title": "Event" + } + ], + "elser_embedding": "ServiceNow - Collect logs from ServiceNow with Elastic Agent. - Event" + }, + { + "title": "Defend for Containers", + "id": "cloud_defend", + "description": "Elastic Defend for Containers (BETA) provides cloud-native runtime protections for containerized environments.", + "data_streams": [ + { + "dataset": "heartbeat", + "index_pattern": "logs-cloud_defend.heartbeat-*", + "title": "Cloud Defend Liveness Heartbeat" + }, + { + "dataset": "file", + "index_pattern": "logs-cloud_defend.file-*", + "title": "File telemetry" + }, + { + "dataset": "process", + "index_pattern": "logs-cloud_defend.process-*", + "title": "Process telemetry" + }, + { + "dataset": "metrics", + "index_pattern": "logs-cloud_defend.metrics-*", + "title": "Cloud defend metrics" + }, + { + "dataset": "alerts", + "index_pattern": "logs-cloud_defend.alerts-*", + "title": "alerts" + } + ], + "elser_embedding": "Defend for Containers - Elastic Defend for Containers (BETA) provides cloud-native runtime protections for containerized environments. - Cloud Defend Liveness Heartbeat File telemetry Process telemetry Cloud defend metrics alerts" + }, + { + "title": "authentik", + "id": "authentik", + "description": "Collect logs from authentik with Elastic Agent.", + "data_streams": [ + { + "dataset": "group", + "index_pattern": "logs-authentik.group-*", + "title": "authentik group logs" + }, + { + "dataset": "event", + "index_pattern": "logs-authentik.event-*", + "title": "authentik event logs" + }, + { + "dataset": "user", + "index_pattern": "logs-authentik.user-*", + "title": "authentik user logs" + } + ], + "elser_embedding": "authentik - Collect logs from authentik with Elastic Agent. - authentik group logs authentik event logs authentik user logs" + }, + { + "title": "Wiz", + "id": "wiz", + "description": "Collect logs from Wiz with Elastic Agent.", + "data_streams": [ + { + "dataset": "issue", + "index_pattern": "logs-wiz.issue-*", + "title": "Collect Issue logs from Wiz." + }, + { + "dataset": "vulnerability", + "index_pattern": "logs-wiz.vulnerability-*", + "title": "Collect Vulnerability logs from Wiz." + }, + { + "dataset": "audit", + "index_pattern": "logs-wiz.audit-*", + "title": "Collect Audit logs from Wiz." + }, + { + "dataset": "cloud_configuration_finding", + "index_pattern": "logs-wiz.cloud_configuration_finding-*", + "title": "Collet Cloud Configuration Finding logs from Wiz." + } + ], + "elser_embedding": "Wiz - Collect logs from Wiz with Elastic Agent. - Collect Issue logs from Wiz. Collect Vulnerability logs from Wiz. Collect Audit logs from Wiz. Collet Cloud Configuration Finding logs from Wiz." + }, + { + "title": "Mattermost", + "id": "mattermost", + "description": "Collect logs from Mattermost with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-mattermost.audit-*", + "title": "Audit Logs" + } + ], + "elser_embedding": "Mattermost - Collect logs from Mattermost with Elastic Agent. - Audit Logs" + }, + { + "title": "Teleport", + "id": "teleport", + "description": "Collect logs from Teleport with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-teleport.audit-*", + "title": "Teleport audit logs" + } + ], + "elser_embedding": "Teleport - Collect logs from Teleport with Elastic Agent. - Teleport audit logs" + }, + { + "title": "Fleet Server", + "id": "fleet_server", + "description": "Centrally manage Elastic Agents with the Fleet Server integration.", + "data_streams": [ + { + "dataset": "agent_versions_metrics", + "index_pattern": "logs-fleet_server.agent_versions_metrics-*", + "title": "Fleet Agent Versions" + }, + { + "dataset": "agent_status_metrics", + "index_pattern": "logs-fleet_server.agent_status_metrics-*", + "title": "Fleet Agent Status" + }, + { + "dataset": "output_health_logs", + "index_pattern": "logs-fleet_server.output_health_logs-*", + "title": "Output Health" + } + ], + "elser_embedding": "Fleet Server - Centrally manage Elastic Agents with the Fleet Server integration. - Fleet Agent Versions Fleet Agent Status Output Health" + }, + { + "title": "Cisco Secure Endpoint", + "id": "cisco_secure_endpoint", + "description": "Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent.", + "data_streams": [ + { + "dataset": "event", + "index_pattern": "logs-cisco_secure_endpoint.event-*", + "title": "Cisco Secure Endpoint logs" + } + ], + "elser_embedding": "Cisco Secure Endpoint - Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. - Cisco Secure Endpoint logs" + }, + { + "title": "Iptables", + "id": "iptables", + "description": "Collect logs from Iptables with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-iptables.log-*", + "title": "Iptables log logs" + } + ], + "elser_embedding": "Iptables - Collect logs from Iptables with Elastic Agent. - Iptables log logs" + }, + { + "title": "Google Workspace", + "id": "google_workspace", + "description": "Collect logs from Google Workspace with Elastic Agent.", + "data_streams": [ + { + "dataset": "user_accounts", + "index_pattern": "logs-google_workspace.user_accounts-*", + "title": "User accounts logs" + }, + { + "dataset": "device", + "index_pattern": "logs-google_workspace.device-*", + "title": "Device logs" + }, + { + "dataset": "admin", + "index_pattern": "logs-google_workspace.admin-*", + "title": "Admin logs" + }, + { + "dataset": "gcp", + "index_pattern": "logs-google_workspace.gcp-*", + "title": "GCP logs" + }, + { + "dataset": "group_enterprise", + "index_pattern": "logs-google_workspace.group_enterprise-*", + "title": "Group Enterprise logs" + }, + { + "dataset": "login", + "index_pattern": "logs-google_workspace.login-*", + "title": "Login logs" + }, + { + "dataset": "access_transparency", + "index_pattern": "logs-google_workspace.access_transparency-*", + "title": "Access Transparency logs" + }, + { + "dataset": "alert", + "index_pattern": "logs-google_workspace.alert-*", + "title": "Collect Alert logs from Google Workspace" + }, + { + "dataset": "context_aware_access", + "index_pattern": "logs-google_workspace.context_aware_access-*", + "title": "Context Aware Access logs" + }, + { + "dataset": "token", + "index_pattern": "logs-google_workspace.token-*", + "title": "Token logs" + }, + { + "dataset": "drive", + "index_pattern": "logs-google_workspace.drive-*", + "title": "Drive logs" + }, + { + "dataset": "groups", + "index_pattern": "logs-google_workspace.groups-*", + "title": "Groups logs" + }, + { + "dataset": "saml", + "index_pattern": "logs-google_workspace.saml-*", + "title": "SAML logs" + }, + { + "dataset": "rules", + "index_pattern": "logs-google_workspace.rules-*", + "title": "Rules logs" + } + ], + "elser_embedding": "Google Workspace - Collect logs from Google Workspace with Elastic Agent. - User accounts logs Device logs Admin logs GCP logs Group Enterprise logs Login logs Access Transparency logs Collect Alert logs from Google Workspace Context Aware Access logs Token logs Drive logs Groups logs SAML logs Rules logs" + }, + { + "title": "VMware Carbon Black EDR", + "id": "carbonblack_edr", + "description": "Collect logs from VMware Carbon Black EDR with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-carbonblack_edr.log-*", + "title": "Carbon Black EDR logs" + } + ], + "elser_embedding": "VMware Carbon Black EDR - Collect logs from VMware Carbon Black EDR with Elastic Agent. - Carbon Black EDR logs" + }, + { + "title": "Mimecast", + "id": "mimecast", + "description": "Collect logs from Mimecast with Elastic Agent.", + "data_streams": [ + { + "dataset": "dlp_logs", + "index_pattern": "logs-mimecast.dlp_logs-*", + "title": "DLP Mimecast Logs" + }, + { + "dataset": "ttp_url_logs", + "index_pattern": "logs-mimecast.ttp_url_logs-*", + "title": "TTP URL Logs" + }, + { + "dataset": "siem_logs", + "index_pattern": "logs-mimecast.siem_logs-*", + "title": "SIEM Mimecast Logs" + }, + { + "dataset": "message_release_logs", + "index_pattern": "logs-mimecast.message_release_logs-*", + "title": "Mimecast Message Release" + }, + { + "dataset": "ttp_ip_logs", + "index_pattern": "logs-mimecast.ttp_ip_logs-*", + "title": "TTP Impersonation Mimecast Logs" + }, + { + "dataset": "audit_events", + "index_pattern": "logs-mimecast.audit_events-*", + "title": "Audit Events Mimecast Logs" + }, + { + "dataset": "ttp_ap_logs", + "index_pattern": "logs-mimecast.ttp_ap_logs-*", + "title": "TTP Attachment Logs" + }, + { + "dataset": "archive_search_logs", + "index_pattern": "logs-mimecast.archive_search_logs-*", + "title": "Archive Search Mimecast Logs" + }, + { + "dataset": "threat_intel_malware_grid", + "index_pattern": "logs-mimecast.threat_intel_malware_grid-*", + "title": "Threat Intel Feed - Malware Grid" + }, + { + "dataset": "threat_intel_malware_customer", + "index_pattern": "logs-mimecast.threat_intel_malware_customer-*", + "title": "Threat Intel Feed - Malware Customer" + } + ], + "elser_embedding": "Mimecast - Collect logs from Mimecast with Elastic Agent. - DLP Mimecast Logs TTP URL Logs SIEM Mimecast Logs Mimecast Message Release TTP Impersonation Mimecast Logs Audit Events Mimecast Logs TTP Attachment Logs Archive Search Mimecast Logs Threat Intel Feed - Malware Grid Threat Intel Feed - Malware Customer" + }, + { + "title": "Oracle WebLogic", + "id": "oracle_weblogic", + "description": "Collect logs and metrics from Oracle WebLogic with Elastic Agent.", + "data_streams": [ + { + "dataset": "managed_server", + "index_pattern": "logs-oracle_weblogic.managed_server-*", + "title": "Managed Server logs" + }, + { + "dataset": "access", + "index_pattern": "logs-oracle_weblogic.access-*", + "title": "Access logs" + }, + { + "dataset": "threadpool", + "index_pattern": "logs-oracle_weblogic.threadpool-*", + "title": "Collect Oracle WebLogic ThreadPool metrics" + }, + { + "dataset": "deployed_application", + "index_pattern": "logs-oracle_weblogic.deployed_application-*", + "title": "Collect Oracle WebLogic Deployed Application metrics" + }, + { + "dataset": "admin_server", + "index_pattern": "logs-oracle_weblogic.admin_server-*", + "title": "Admin Server logs" + }, + { + "dataset": "domain", + "index_pattern": "logs-oracle_weblogic.domain-*", + "title": "Domain logs" + } + ], + "elser_embedding": "Oracle WebLogic - Collect logs and metrics from Oracle WebLogic with Elastic Agent. - Managed Server logs Access logs Collect Oracle WebLogic ThreadPool metrics Collect Oracle WebLogic Deployed Application metrics Admin Server logs Domain logs" + }, + { + "title": "System Audit", + "id": "system_audit", + "description": "Collect various logs & metrics from System Audit modules with Elastic Agent.", + "data_streams": [ + { + "dataset": "package", + "index_pattern": "logs-system_audit.package-*", + "title": "System Audit - [Package]" + } + ], + "elser_embedding": "System Audit - Collect various logs & metrics from System Audit modules with Elastic Agent. - System Audit - [Package]" + }, + { + "title": "Salesforce", + "id": "salesforce", + "description": "Collect logs from Salesforce instances using the Elastic Agent. This integration enables monitoring and analysis of various Salesforce logs, including Login, Logout, Setup Audit Trail, and Apex execution logs. Gain insights into user activity, security events, and application performance.\n", + "data_streams": [ + { + "dataset": "setupaudittrail", + "index_pattern": "logs-salesforce.setupaudittrail-*", + "title": "Salesforce setupaudittrail logs" + }, + { + "dataset": "login", + "index_pattern": "logs-salesforce.login-*", + "title": "Salesforce login logs" + }, + { + "dataset": "logout", + "index_pattern": "logs-salesforce.logout-*", + "title": "Salesforce logout logs" + }, + { + "dataset": "apex", + "index_pattern": "logs-salesforce.apex-*", + "title": "Salesforce Apex logs" + } + ], + "elser_embedding": "Salesforce - Collect logs from Salesforce instances using the Elastic Agent. This integration enables monitoring and analysis of various Salesforce logs, including Login, Logout, Setup Audit Trail, and Apex execution logs. Gain insights into user activity, security events, and application performance.\n - Salesforce setupaudittrail logs Salesforce login logs Salesforce logout logs Salesforce Apex logs" + }, + { + "title": "Azure Application Insights Metrics Overview", + "id": "azure_application_insights", + "description": "Collect application insights metrics from Azure Monitor with Elastic Agent.", + "data_streams": [ + { + "dataset": "app_insights", + "index_pattern": "logs-azure_application_insights.app_insights-*", + "title": "Azure Application Insights" + }, + { + "dataset": "app_state", + "index_pattern": "logs-azure_application_insights.app_state-*", + "title": "Azure Application State" + } + ], + "elser_embedding": "Azure Application Insights Metrics Overview - Collect application insights metrics from Azure Monitor with Elastic Agent. - Azure Application Insights Azure Application State" + }, + { + "title": "ForgeRock", + "id": "forgerock", + "description": "Collect audit logs from ForgeRock with Elastic Agent.", + "data_streams": [ + { + "dataset": "idm_sync", + "index_pattern": "logs-forgerock.idm_sync-*", + "title": "IDM-Sync audit logs" + }, + { + "dataset": "idm_core", + "index_pattern": "logs-forgerock.idm_core-*", + "title": "IDM-Core debug logs" + }, + { + "dataset": "am_access", + "index_pattern": "logs-forgerock.am_access-*", + "title": "AM-Access audit logs" + }, + { + "dataset": "idm_activity", + "index_pattern": "logs-forgerock.idm_activity-*", + "title": "IDM-Activity audit logs" + }, + { + "dataset": "idm_config", + "index_pattern": "logs-forgerock.idm_config-*", + "title": "IDM-Config audit logs" + }, + { + "dataset": "am_config", + "index_pattern": "logs-forgerock.am_config-*", + "title": "AM-Config audit logs" + }, + { + "dataset": "am_activity", + "index_pattern": "logs-forgerock.am_activity-*", + "title": "AM-Activity audit logs" + }, + { + "dataset": "am_authentication", + "index_pattern": "logs-forgerock.am_authentication-*", + "title": "AM-Authentication audit logs" + }, + { + "dataset": "idm_authentication", + "index_pattern": "logs-forgerock.idm_authentication-*", + "title": "IDM-Authentication audit logs" + }, + { + "dataset": "idm_access", + "index_pattern": "logs-forgerock.idm_access-*", + "title": "IDM-Access audit logs" + }, + { + "dataset": "am_core", + "index_pattern": "logs-forgerock.am_core-*", + "title": "AM-Core debug logs" + } + ], + "elser_embedding": "ForgeRock - Collect audit logs from ForgeRock with Elastic Agent. - IDM-Sync audit logs IDM-Core debug logs AM-Access audit logs IDM-Activity audit logs IDM-Config audit logs AM-Config audit logs AM-Activity audit logs AM-Authentication audit logs IDM-Authentication audit logs IDM-Access audit logs AM-Core debug logs" + }, + { + "title": "Tenable.sc", + "id": "tenable_sc", + "description": "Collect logs from Tenable.sc with Elastic Agent.\n", + "data_streams": [ + { + "dataset": "plugin", + "index_pattern": "logs-tenable_sc.plugin-*", + "title": "Tenable.sc plugin logs" + }, + { + "dataset": "vulnerability", + "index_pattern": "logs-tenable_sc.vulnerability-*", + "title": "Tenable.sc vulnerability logs" + }, + { + "dataset": "asset", + "index_pattern": "logs-tenable_sc.asset-*", + "title": "Tenable.sc asset logs" + } + ], + "elser_embedding": "Tenable.sc - Collect logs from Tenable.sc with Elastic Agent.\n - Tenable.sc plugin logs Tenable.sc vulnerability logs Tenable.sc asset logs" + }, + { + "title": "Cisco IOS", + "id": "cisco_ios", + "description": "Collect logs from Cisco IOS with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_ios.log-*", + "title": "Cisco IOS logs" + } + ], + "elser_embedding": "Cisco IOS - Collect logs from Cisco IOS with Elastic Agent. - Cisco IOS logs" + }, + { + "title": "ZooKeeper Metrics", + "id": "zookeeper", + "description": "Collect metrics from ZooKeeper service with Elastic Agent.", + "data_streams": [ + { + "dataset": "connection", + "index_pattern": "logs-zookeeper.connection-*", + "title": "ZooKeeper connection metrics" + }, + { + "dataset": "mntr", + "index_pattern": "logs-zookeeper.mntr-*", + "title": "ZooKeeper mntr metrics" + }, + { + "dataset": "server", + "index_pattern": "logs-zookeeper.server-*", + "title": "ZooKeeper server metrics" + } + ], + "elser_embedding": "ZooKeeper Metrics - Collect metrics from ZooKeeper service with Elastic Agent. - ZooKeeper connection metrics ZooKeeper mntr metrics ZooKeeper server metrics" + }, + { + "title": "Palo Alto Next-Gen Firewall", + "id": "panw", + "description": "Collect logs from Palo Alto next-gen firewalls with Elastic Agent.", + "data_streams": [ + { + "dataset": "panos", + "index_pattern": "logs-panw.panos-*", + "title": "Palo Alto Networks PAN-OS firewall logs" + } + ], + "elser_embedding": "Palo Alto Next-Gen Firewall - Collect logs from Palo Alto next-gen firewalls with Elastic Agent. - Palo Alto Networks PAN-OS firewall logs" + }, + { + "title": "Hadoop", + "id": "hadoop", + "description": "Collect metrics from Apache Hadoop with Elastic Agent.", + "data_streams": [ + { + "dataset": "namenode", + "index_pattern": "logs-hadoop.namenode-*", + "title": "NameNode Metrics" + }, + { + "dataset": "datanode", + "index_pattern": "logs-hadoop.datanode-*", + "title": "DataNode metrics" + }, + { + "dataset": "node_manager", + "index_pattern": "logs-hadoop.node_manager-*", + "title": "Node Manager metrics" + }, + { + "dataset": "application", + "index_pattern": "logs-hadoop.application-*", + "title": "Application metrics" + }, + { + "dataset": "cluster", + "index_pattern": "logs-hadoop.cluster-*", + "title": "Cluster metrics" + } + ], + "elser_embedding": "Hadoop - Collect metrics from Apache Hadoop with Elastic Agent. - NameNode Metrics DataNode metrics Node Manager metrics Application metrics Cluster metrics" + }, + { + "title": "InfluxDb", + "id": "influxdb", + "description": "Collect metrics from Influxdb database", + "data_streams": [ + { + "dataset": "advstatus", + "index_pattern": "logs-influxdb.advstatus-*", + "title": "InfluxDB database advanced status metrics" + }, + { + "dataset": "status", + "index_pattern": "logs-influxdb.status-*", + "title": "InfluxDB database status metrics" + } + ], + "elser_embedding": "InfluxDb - Collect metrics from Influxdb database - InfluxDB database advanced status metrics InfluxDB database status metrics" + }, + { + "title": "Sophos", + "id": "sophos", + "description": "Collect logs from Sophos with Elastic Agent.", + "data_streams": [ + { + "dataset": "xg", + "index_pattern": "logs-sophos.xg-*", + "title": "Sophos XG logs" + }, + { + "dataset": "utm", + "index_pattern": "logs-sophos.utm-*", + "title": "Sophos UTM logs" + } + ], + "elser_embedding": "Sophos - Collect logs from Sophos with Elastic Agent. - Sophos XG logs Sophos UTM logs" + }, + { + "title": "Menlo Security", + "id": "menlo", + "description": "Collect logs from Menlo Security products with Elastic Agent", + "data_streams": [ + { + "dataset": "dlp", + "index_pattern": "logs-menlo.dlp-*", + "title": "Collect Menlo DLP from Menlo Security API" + }, + { + "dataset": "web", + "index_pattern": "logs-menlo.web-*", + "title": "Collect Menlo Web from Menlo Security API" + } + ], + "elser_embedding": "Menlo Security - Collect logs from Menlo Security products with Elastic Agent - Collect Menlo DLP from Menlo Security API Collect Menlo Web from Menlo Security API" + }, + { + "title": "Barracuda Web Application Firewall", + "id": "barracuda", + "description": "Collect logs from Barracuda Web Application Firewall with Elastic Agent.", + "data_streams": [ + { + "dataset": "waf", + "index_pattern": "logs-barracuda.waf-*", + "title": "Barracuda WAF Logs" + } + ], + "elser_embedding": "Barracuda Web Application Firewall - Collect logs from Barracuda Web Application Firewall with Elastic Agent. - Barracuda WAF Logs" + }, + { + "title": "FireEye Network Security", + "id": "fireeye", + "description": "Collect logs from FireEye NX with Elastic Agent.", + "data_streams": [ + { + "dataset": "nx", + "index_pattern": "logs-fireeye.nx-*", + "title": "Fireeye NX" + } + ], + "elser_embedding": "FireEye Network Security - Collect logs from FireEye NX with Elastic Agent. - Fireeye NX" + }, + { + "title": "Tines", + "id": "tines", + "description": "Tines Logs & Time Saved Reports", + "data_streams": [ + { + "dataset": "time_saved", + "index_pattern": "logs-tines.time_saved-*", + "title": "Tines Time Saved Reports" + }, + { + "dataset": "audit_logs", + "index_pattern": "logs-tines.audit_logs-*", + "title": "Tines Audit Logs" + } + ], + "elser_embedding": "Tines - Tines Logs & Time Saved Reports - Tines Time Saved Reports Tines Audit Logs" + }, + { + "title": "Cisco Meraki Metrics", + "id": "cisco_meraki_metrics", + "description": "Collect metrics from Cisco Meraki with Elastic Agent.", + "data_streams": [ + { + "dataset": "device_health", + "index_pattern": "logs-cisco_meraki_metrics.device_health-*", + "title": "Cisco Meraki Device Health Metrics" + } + ], + "elser_embedding": "Cisco Meraki Metrics - Collect metrics from Cisco Meraki with Elastic Agent. - Cisco Meraki Device Health Metrics" + }, + { + "title": "VMware vSphere", + "id": "vsphere", + "description": "This Elastic integration collects metrics and logs from vSphere/vCenter servers", + "data_streams": [ + { + "dataset": "network", + "index_pattern": "logs-vsphere.network-*", + "title": "vSphere network metrics" + }, + { + "dataset": "resourcepool", + "index_pattern": "logs-vsphere.resourcepool-*", + "title": "vSphere resourcepool metrics" + }, + { + "dataset": "datastore", + "index_pattern": "logs-vsphere.datastore-*", + "title": "vSphere datastore metrics" + }, + { + "dataset": "virtualmachine", + "index_pattern": "logs-vsphere.virtualmachine-*", + "title": "vSphere virtual machine metrics" + }, + { + "dataset": "host", + "index_pattern": "logs-vsphere.host-*", + "title": "vSphere host metrics" + }, + { + "dataset": "datastorecluster", + "index_pattern": "logs-vsphere.datastorecluster-*", + "title": "vSphere DatastoreCluster metrics" + }, + { + "dataset": "log", + "index_pattern": "logs-vsphere.log-*", + "title": "vSphere Logs" + }, + { + "dataset": "cluster", + "index_pattern": "logs-vsphere.cluster-*", + "title": "vSphere cluster metrics" + } + ], + "elser_embedding": "VMware vSphere - This Elastic integration collects metrics and logs from vSphere/vCenter servers - vSphere network metrics vSphere resourcepool metrics vSphere datastore metrics vSphere virtual machine metrics vSphere host metrics vSphere DatastoreCluster metrics vSphere Logs vSphere cluster metrics" + }, + { + "title": "Platform Observability", + "id": "platform_observability", + "description": "Collect stack component logs with Elastic Agent", + "data_streams": [ + { + "dataset": "kibana_audit", + "index_pattern": "logs-platform_observability.kibana_audit-*", + "title": "Platform Observability Kibana audit logs" + }, + { + "dataset": "kibana_log", + "index_pattern": "logs-platform_observability.kibana_log-*", + "title": "Platform Observability Kibana logs" + } + ], + "elser_embedding": "Platform Observability - Collect stack component logs with Elastic Agent - Platform Observability Kibana audit logs Platform Observability Kibana logs" + }, + { + "title": "System", + "id": "system", + "description": "Collect system logs and metrics from your servers with Elastic Agent.", + "data_streams": [ + { + "dataset": "memory", + "index_pattern": "logs-system.memory-*", + "title": "System memory metrics" + }, + { + "dataset": "network", + "index_pattern": "logs-system.network-*", + "title": "System network metrics" + }, + { + "dataset": "uptime", + "index_pattern": "logs-system.uptime-*", + "title": "System uptime metrics" + }, + { + "dataset": "socket_summary", + "index_pattern": "logs-system.socket_summary-*", + "title": "System socket_summary metrics" + }, + { + "dataset": "auth", + "index_pattern": "logs-system.auth-*", + "title": "System auth logs" + }, + { + "dataset": "process", + "index_pattern": "logs-system.process-*", + "title": "System process metrics" + }, + { + "dataset": "load", + "index_pattern": "logs-system.load-*", + "title": "System load metrics" + }, + { + "dataset": "application", + "index_pattern": "logs-system.application-*", + "title": "Windows Application Events" + }, + { + "dataset": "diskio", + "index_pattern": "logs-system.diskio-*", + "title": "System diskio metrics" + }, + { + "dataset": "syslog", + "index_pattern": "logs-system.syslog-*", + "title": "System syslog logs" + }, + { + "dataset": "filesystem", + "index_pattern": "logs-system.filesystem-*", + "title": "System filesystem metrics" + }, + { + "dataset": "fsstat", + "index_pattern": "logs-system.fsstat-*", + "title": "System fsstat metrics" + }, + { + "dataset": "core", + "index_pattern": "logs-system.core-*", + "title": "System core metrics" + }, + { + "dataset": "cpu", + "index_pattern": "logs-system.cpu-*", + "title": "System cpu metrics" + }, + { + "dataset": "process_summary", + "index_pattern": "logs-system.process_summary-*", + "title": "System process_summary metrics" + }, + { + "dataset": "system", + "index_pattern": "logs-system.system-*", + "title": "Windows System Events" + }, + { + "dataset": "security", + "index_pattern": "logs-system.security-*", + "title": "Security logs" + } + ], + "elser_embedding": "System - Collect system logs and metrics from your servers with Elastic Agent. - System memory metrics System network metrics System uptime metrics System socket_summary metrics System auth logs System process metrics System load metrics Windows Application Events System diskio metrics System syslog logs System filesystem metrics System fsstat metrics System core metrics System cpu metrics System process_summary metrics Windows System Events Security logs" + }, + { + "title": "Airflow", + "id": "airflow", + "description": "Airflow Integration.", + "data_streams": [ + { + "dataset": "statsd", + "index_pattern": "logs-airflow.statsd-*", + "title": "Airflow metrics" + } + ], + "elser_embedding": "Airflow - Airflow Integration. - Airflow metrics" + }, + { + "title": "Custom Google Pub/Sub Logs", + "id": "gcp_pubsub", + "description": "Collect Logs from Google Pub/Sub topics", + "data_streams": [], + "elser_embedding": "Custom Google Pub/Sub Logs - Collect Logs from Google Pub/Sub topics - " + }, + { + "title": "Beat", + "id": "beat", + "description": "Beat Integration", + "data_streams": [], + "elser_embedding": "Beat - Beat Integration - " + }, + { + "title": "Cyberark Privileged Threat Analytics", + "id": "cyberark_pta", + "description": "Collect security logs from Cyberark PTA integration.", + "data_streams": [ + { + "dataset": "events", + "index_pattern": "logs-cyberark_pta.events-*", + "title": "CyberArk PTA logs" + } + ], + "elser_embedding": "Cyberark Privileged Threat Analytics - Collect security logs from Cyberark PTA integration. - CyberArk PTA logs" + }, + { + "title": "Trellix ePO Cloud", + "id": "trellix_epo_cloud", + "description": "Collect logs from Trellix ePO Cloud with Elastic Agent.", + "data_streams": [ + { + "dataset": "device", + "index_pattern": "logs-trellix_epo_cloud.device-*", + "title": "Collect Device logs from Trellix ePO Cloud." + }, + { + "dataset": "group", + "index_pattern": "logs-trellix_epo_cloud.group-*", + "title": "Collect Group logs from Trellix ePO Cloud." + }, + { + "dataset": "event", + "index_pattern": "logs-trellix_epo_cloud.event-*", + "title": "Collect Event logs from Trellix ePO Cloud." + } + ], + "elser_embedding": "Trellix ePO Cloud - Collect logs from Trellix ePO Cloud with Elastic Agent. - Collect Device logs from Trellix ePO Cloud. Collect Group logs from Trellix ePO Cloud. Collect Event logs from Trellix ePO Cloud." + }, + { + "title": "Vectra Detect", + "id": "vectra_detect", + "description": "Collect logs from Vectra Detect with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-vectra_detect.log-*", + "title": "Collect logs from Vectra Detect" + } + ], + "elser_embedding": "Vectra Detect - Collect logs from Vectra Detect with Elastic Agent. - Collect logs from Vectra Detect" + }, + { + "title": "Atlassian Confluence", + "id": "atlassian_confluence", + "description": "Collect logs from Atlassian Confluence with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-atlassian_confluence.audit-*", + "title": "Confluence Audit Logs" + } + ], + "elser_embedding": "Atlassian Confluence - Collect logs from Atlassian Confluence with Elastic Agent. - Confluence Audit Logs" + }, + { + "title": "QNAP NAS", + "id": "qnap_nas", + "description": "Collect logs from QNAP NAS devices with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-qnap_nas.log-*", + "title": "QNAP NAS logs" + } + ], + "elser_embedding": "QNAP NAS - Collect logs from QNAP NAS devices with Elastic Agent. - QNAP NAS logs" + }, + { + "title": "Memcached", + "id": "memcached", + "description": "Memcached Integration", + "data_streams": [ + { + "dataset": "stats", + "index_pattern": "logs-memcached.stats-*", + "title": "Memcached stats metrics" + } + ], + "elser_embedding": "Memcached - Memcached Integration - Memcached stats metrics" + }, + { + "title": "Azure Resource Metrics", + "id": "azure_metrics", + "description": "Collect metrics from Azure resources with Elastic Agent.", + "data_streams": [ + { + "dataset": "container_service", + "index_pattern": "logs-azure_metrics.container_service-*", + "title": "Container Service" + }, + { + "dataset": "container_instance", + "index_pattern": "logs-azure_metrics.container_instance-*", + "title": "Container Instance" + }, + { + "dataset": "compute_vm", + "index_pattern": "logs-azure_metrics.compute_vm-*", + "title": "Compute VM" + }, + { + "dataset": "monitor", + "index_pattern": "logs-azure_metrics.monitor-*", + "title": "Monitor" + }, + { + "dataset": "storage_account", + "index_pattern": "logs-azure_metrics.storage_account-*", + "title": "Storage Account" + }, + { + "dataset": "compute_vm_scaleset", + "index_pattern": "logs-azure_metrics.compute_vm_scaleset-*", + "title": "Compute VM Scaleset" + }, + { + "dataset": "database_account", + "index_pattern": "logs-azure_metrics.database_account-*", + "title": "Database Account" + }, + { + "dataset": "container_registry", + "index_pattern": "logs-azure_metrics.container_registry-*", + "title": "Container Registry" + } + ], + "elser_embedding": "Azure Resource Metrics - Collect metrics from Azure resources with Elastic Agent. - Container Service Container Instance Compute VM Monitor Storage Account Compute VM Scaleset Database Account Container Registry" + }, + { + "title": "Elastic Connectors", + "id": "elastic_connectors", + "description": "Sync data from source to the Elasticsearch index.", + "data_streams": [], + "elser_embedding": "Elastic Connectors - Sync data from source to the Elasticsearch index. - " + }, + { + "title": "StatsD Input", + "id": "statsd_input", + "description": "StatsD Input Package", + "data_streams": [], + "elser_embedding": "StatsD Input - StatsD Input Package - " + }, + { + "title": "Cloudflare", + "id": "cloudflare", + "description": "Collect logs from Cloudflare with Elastic Agent.", + "data_streams": [ + { + "dataset": "logpull", + "index_pattern": "logs-cloudflare.logpull-*", + "title": "Cloudflare Logpull" + }, + { + "dataset": "audit", + "index_pattern": "logs-cloudflare.audit-*", + "title": "Cloudflare Audit Logs" + } + ], + "elser_embedding": "Cloudflare - Collect logs from Cloudflare with Elastic Agent. - Cloudflare Logpull Cloudflare Audit Logs" + }, + { + "title": "Cribl", + "id": "cribl", + "description": "Stream logs from Cribl into Elastic.", + "data_streams": [ + { + "dataset": "logs", + "index_pattern": "logs-cribl.logs-*", + "title": "Logs" + } + ], + "elser_embedding": "Cribl - Stream logs from Cribl into Elastic. - Logs" + }, + { + "title": "PHP-FPM", + "id": "php_fpm", + "description": "This Elastic integration collects metrics from PHP-FPM.", + "data_streams": [ + { + "dataset": "process", + "index_pattern": "logs-php_fpm.process-*", + "title": "Process metrics" + }, + { + "dataset": "pool", + "index_pattern": "logs-php_fpm.pool-*", + "title": "Pool metrics" + } + ], + "elser_embedding": "PHP-FPM - This Elastic integration collects metrics from PHP-FPM. - Process metrics Pool metrics" + }, + { + "title": "Azure Logs", + "id": "azure", + "description": "This Elastic integration collects logs from Azure", + "data_streams": [ + { + "dataset": "platformlogs", + "index_pattern": "logs-azure.platformlogs-*", + "title": "Azure Platform Logs" + }, + { + "dataset": "auditlogs", + "index_pattern": "logs-azure.auditlogs-*", + "title": "Azure Audit Logs" + }, + { + "dataset": "springcloudlogs", + "index_pattern": "logs-azure.springcloudlogs-*", + "title": "Azure Spring Apps Logs" + }, + { + "dataset": "signinlogs", + "index_pattern": "logs-azure.signinlogs-*", + "title": "Azure Signin Logs" + }, + { + "dataset": "firewall_logs", + "index_pattern": "logs-azure.firewall_logs-*", + "title": "Collect Network rule logs from Azure Firewall" + }, + { + "dataset": "graphactivitylogs", + "index_pattern": "logs-azure.graphactivitylogs-*", + "title": "Microsoft Graph Activity Logs" + }, + { + "dataset": "application_gateway", + "index_pattern": "logs-azure.application_gateway-*", + "title": "Azure Application Gateway logs" + }, + { + "dataset": "eventhub", + "index_pattern": "logs-azure.eventhub-*", + "title": "Azure Event Hub Input" + }, + { + "dataset": "provisioning", + "index_pattern": "logs-azure.provisioning-*", + "title": "Microsoft Entra ID Provisioning Logs" + }, + { + "dataset": "activitylogs", + "index_pattern": "logs-azure.activitylogs-*", + "title": "Azure Activity Logs" + }, + { + "dataset": "identity_protection", + "index_pattern": "logs-azure.identity_protection-*", + "title": "Microsoft Entra ID Identity Protection Logs" + } + ], + "elser_embedding": "Azure Logs - This Elastic integration collects logs from Azure - Azure Platform Logs Azure Audit Logs Azure Spring Apps Logs Azure Signin Logs Collect Network rule logs from Azure Firewall Microsoft Graph Activity Logs Azure Application Gateway logs Azure Event Hub Input Microsoft Entra ID Provisioning Logs Azure Activity Logs Microsoft Entra ID Identity Protection Logs" + }, + { + "title": "Palo Alto Networks Metrics", + "id": "panw_metrics", + "description": "Collect metrics from Palo Alto Networks with Elastic Agent.", + "data_streams": [ + { + "dataset": "vpn", + "index_pattern": "logs-panw_metrics.vpn-*", + "title": "Palo Alto Networks VPN metrics" + }, + { + "dataset": "interfaces", + "index_pattern": "logs-panw_metrics.interfaces-*", + "title": "Palo Alto Networks Interfaces metrics" + }, + { + "dataset": "system", + "index_pattern": "logs-panw_metrics.system-*", + "title": "Palo Alto Networks System metrics" + }, + { + "dataset": "routing", + "index_pattern": "logs-panw_metrics.routing-*", + "title": "Palo Alto Networks Routing metrics" + } + ], + "elser_embedding": "Palo Alto Networks Metrics - Collect metrics from Palo Alto Networks with Elastic Agent. - Palo Alto Networks VPN metrics Palo Alto Networks Interfaces metrics Palo Alto Networks System metrics Palo Alto Networks Routing metrics" + }, + { + "title": "Custom Threat Intelligence", + "id": "ti_custom", + "description": "Ingest threat intelligence data in STIX 2.1 format with Elastic Agent", + "data_streams": [ + { + "dataset": "indicator", + "index_pattern": "logs-ti_custom.indicator-*", + "title": "STIX 2.1 indicators" + } + ], + "elser_embedding": "Custom Threat Intelligence - Ingest threat intelligence data in STIX 2.1 format with Elastic Agent - STIX 2.1 indicators" + }, + { + "title": "Check Point Harmony Endpoint", + "id": "checkpoint_harmony_endpoint", + "description": "Collect logs from Check Point Harmony Endpoint", + "data_streams": [ + { + "dataset": "urlfiltering", + "index_pattern": "logs-checkpoint_harmony_endpoint.urlfiltering-*", + "title": "URL Filtering" + }, + { + "dataset": "forensics", + "index_pattern": "logs-checkpoint_harmony_endpoint.forensics-*", + "title": "Forensics" + }, + { + "dataset": "antibot", + "index_pattern": "logs-checkpoint_harmony_endpoint.antibot-*", + "title": "Anti-Bot" + }, + { + "dataset": "threatemulation", + "index_pattern": "logs-checkpoint_harmony_endpoint.threatemulation-*", + "title": "Threat Emulation" + }, + { + "dataset": "threatextraction", + "index_pattern": "logs-checkpoint_harmony_endpoint.threatextraction-*", + "title": "Threat Extraction" + }, + { + "dataset": "zerophishing", + "index_pattern": "logs-checkpoint_harmony_endpoint.zerophishing-*", + "title": "Zero Phishing" + }, + { + "dataset": "antimalware", + "index_pattern": "logs-checkpoint_harmony_endpoint.antimalware-*", + "title": "Anti-Malware" + } + ], + "elser_embedding": "Check Point Harmony Endpoint - Collect logs from Check Point Harmony Endpoint - URL Filtering Forensics Anti-Bot Threat Emulation Threat Extraction Zero Phishing Anti-Malware" + }, + { + "title": "Thycotic Secret Server", + "id": "thycotic_ss", + "description": "Thycotic Secret Server logs", + "data_streams": [ + { + "dataset": "logs", + "index_pattern": "logs-thycotic_ss.logs-*", + "title": "Thycotic Secret Server Logs" + } + ], + "elser_embedding": "Thycotic Secret Server - Thycotic Secret Server logs - Thycotic Secret Server Logs" + }, + { + "title": "Custom HTTP Endpoint Logs", + "id": "http_endpoint", + "description": "Collect JSON data from listening HTTP port with Elastic Agent.", + "data_streams": [], + "elser_embedding": "Custom HTTP Endpoint Logs - Collect JSON data from listening HTTP port with Elastic Agent. - " + }, + { + "title": "Atlassian Bitbucket", + "id": "atlassian_bitbucket", + "description": "Collect logs from Atlassian Bitbucket with Elastic Agent.", + "data_streams": [ + { + "dataset": "audit", + "index_pattern": "logs-atlassian_bitbucket.audit-*", + "title": "Bitbucket Audit Logs" + } + ], + "elser_embedding": "Atlassian Bitbucket - Collect logs from Atlassian Bitbucket with Elastic Agent. - Bitbucket Audit Logs" + }, + { + "title": "TYCHON Agentless", + "id": "tychon", + "description": "Collect complete master endpoint datasets including vulnerability and STIG to comply with DISA endpoint requirements and C2C without adding services to your endpoints.", + "data_streams": [ + { + "dataset": "systemcerts", + "index_pattern": "logs-tychon.systemcerts-*", + "title": "System Certificates" + }, + { + "dataset": "stig", + "index_pattern": "logs-tychon.stig-*", + "title": "Endpoint STIG Results" + }, + { + "dataset": "softwareinventory", + "index_pattern": "logs-tychon.softwareinventory-*", + "title": "Endpoint Software Inventory Info" + }, + { + "dataset": "coams", + "index_pattern": "logs-tychon.coams-*", + "title": "Endpoint Operational Attributes (Requires DATT)" + }, + { + "dataset": "harddrive", + "index_pattern": "logs-tychon.harddrive-*", + "title": "Endpoint Harddrive Info" + }, + { + "dataset": "host", + "index_pattern": "logs-tychon.host-*", + "title": "Host Operating System Info" + }, + { + "dataset": "cve", + "index_pattern": "logs-tychon.cve-*", + "title": "Vulnerabilites" + }, + { + "dataset": "externaldevicecontrol", + "index_pattern": "logs-tychon.externaldevicecontrol-*", + "title": "Endpoint External Device Control" + }, + { + "dataset": "cmrs", + "index_pattern": "logs-tychon.cmrs-*", + "title": "DISA Continuous Monitoring and Risk Scoring Data" + }, + { + "dataset": "arp", + "index_pattern": "logs-tychon.arp-*", + "title": "Endpoint Arp Table Information" + }, + { + "dataset": "ciphers", + "index_pattern": "logs-tychon.ciphers-*", + "title": "Certificate Ciphers" + }, + { + "dataset": "features", + "index_pattern": "logs-tychon.features-*", + "title": "Features Info" + }, + { + "dataset": "epp", + "index_pattern": "logs-tychon.epp-*", + "title": "Endpoint Protection Platform Info" + }, + { + "dataset": "cpu", + "index_pattern": "logs-tychon.cpu-*", + "title": "Endpoint CPU Info" + }, + { + "dataset": "browser", + "index_pattern": "logs-tychon.browser-*", + "title": "Endpoint Browser Configurations" + }, + { + "dataset": "exposedservice", + "index_pattern": "logs-tychon.exposedservice-*", + "title": "Endpoint Exposed Services" + }, + { + "dataset": "volume", + "index_pattern": "logs-tychon.volume-*", + "title": "Endpoint Volumes Info" + }, + { + "dataset": "hardware", + "index_pattern": "logs-tychon.hardware-*", + "title": "Hardware Info" + }, + { + "dataset": "networkadapter", + "index_pattern": "logs-tychon.networkadapter-*", + "title": "Network Adapters" + } + ], + "elser_embedding": "TYCHON Agentless - Collect complete master endpoint datasets including vulnerability and STIG to comply with DISA endpoint requirements and C2C without adding services to your endpoints. - System Certificates Endpoint STIG Results Endpoint Software Inventory Info Endpoint Operational Attributes (Requires DATT) Endpoint Harddrive Info Host Operating System Info Vulnerabilites Endpoint External Device Control DISA Continuous Monitoring and Risk Scoring Data Endpoint Arp Table Information Certificate Ciphers Features Info Endpoint Protection Platform Info Endpoint CPU Info Endpoint Browser Configurations Endpoint Exposed Services Endpoint Volumes Info Hardware Info Network Adapters" + }, + { + "title": "Proofpoint On Demand", + "id": "proofpoint_on_demand", + "description": "Collect logs from Proofpoint On Demand with Elastic Agent.", + "data_streams": [ + { + "dataset": "message", + "index_pattern": "logs-proofpoint_on_demand.message-*", + "title": "Proofpoint On Demand Message logs" + }, + { + "dataset": "audit", + "index_pattern": "logs-proofpoint_on_demand.audit-*", + "title": "Proofpoint On Demand Audit logs" + }, + { + "dataset": "mail", + "index_pattern": "logs-proofpoint_on_demand.mail-*", + "title": "Proofpoint On Demand Mail logs" + } + ], + "elser_embedding": "Proofpoint On Demand - Collect logs from Proofpoint On Demand with Elastic Agent. - Proofpoint On Demand Message logs Proofpoint On Demand Audit logs Proofpoint On Demand Mail logs" + }, + { + "title": "Cisco ASA", + "id": "cisco_asa", + "description": "Collect logs from Cisco ASA with Elastic Agent.", + "data_streams": [ + { + "dataset": "log", + "index_pattern": "logs-cisco_asa.log-*", + "title": "Cisco ASA logs" + } + ], + "elser_embedding": "Cisco ASA - Collect logs from Cisco ASA with Elastic Agent. - Cisco ASA logs" + }, + { + "title": "Amazon Security Lake", + "id": "amazon_security_lake", + "description": "Collect logs from Amazon Security Lake with Elastic Agent.", + "data_streams": [ + { + "dataset": "network_activity", + "index_pattern": "logs-amazon_security_lake.network_activity-*", + "title": "Amazon Security Lake Network Activity Events" + }, + { + "dataset": "application_activity", + "index_pattern": "logs-amazon_security_lake.application_activity-*", + "title": "Amazon Security Lake Application Activity Events" + }, + { + "dataset": "discovery", + "index_pattern": "logs-amazon_security_lake.discovery-*", + "title": "Amazon Security Lake Discovery Events" + }, + { + "dataset": "findings", + "index_pattern": "logs-amazon_security_lake.findings-*", + "title": "Amazon Security Lake Findings Events" + }, + { + "dataset": "system_activity", + "index_pattern": "logs-amazon_security_lake.system_activity-*", + "title": "Amazon Security Lake System Activity Events" + }, + { + "dataset": "event", + "index_pattern": "logs-amazon_security_lake.event-*", + "title": "Collect Amazon Security Lake Events" + }, + { + "dataset": "iam", + "index_pattern": "logs-amazon_security_lake.iam-*", + "title": "Amazon Security Lake Identity and Access Management Events" + } + ], + "elser_embedding": "Amazon Security Lake - Collect logs from Amazon Security Lake with Elastic Agent. - Amazon Security Lake Network Activity Events Amazon Security Lake Application Activity Events Amazon Security Lake Discovery Events Amazon Security Lake Findings Events Amazon Security Lake System Activity Events Collect Amazon Security Lake Events Amazon Security Lake Identity and Access Management Events" + }, + { + "title": "Azure App Service", + "id": "azure_app_service", + "description": "Collect logs from Azure App Service with Elastic Agent.", + "data_streams": [ + { + "dataset": "app_service_logs", + "index_pattern": "logs-azure_app_service.app_service_logs-*", + "title": "Collect App Service logs from Azure" + } + ], + "elser_embedding": "Azure App Service - Collect logs from Azure App Service with Elastic Agent. - Collect App Service logs from Azure" + }, + { + "title": "ESET PROTECT", + "id": "eset_protect", + "description": "Collect logs from ESET PROTECT with Elastic Agent.", + "data_streams": [ + { + "dataset": "device_task", + "index_pattern": "logs-eset_protect.device_task-*", + "title": "Collect Device Task logs from ESET PROTECT" + }, + { + "dataset": "detection", + "index_pattern": "logs-eset_protect.detection-*", + "title": "Collect Detection logs from ESET PROTECT" + }, + { + "dataset": "event", + "index_pattern": "logs-eset_protect.event-*", + "title": "Collect Event logs from ESET PROTECT" + } + ], + "elser_embedding": "ESET PROTECT - Collect logs from ESET PROTECT with Elastic Agent. - Collect Device Task logs from ESET PROTECT Collect Detection logs from ESET PROTECT Collect Event logs from ESET PROTECT" + }, + { + "id": "endpoint", + "title": "Elastic Defend", + "description": "windows linux osx dns network process suspicious user registry host host-based endpoint analysis commandline cli command exfiltration ransomware detection system os operating traffic prevention file user modification integrity obfuscation powershell anomaly edr xdr", + "data_streams": [ + { + "dataset": "endpoint.events.api", + "title": "Endpoint API Events", + "index_pattern": "logs-endpoint.events.api-*" + }, + { + "dataset": "endpoint.events.file", + "title": "Endpoint File Events", + "index_pattern": "logs-endpoint.events.file-*" + }, + { + "dataset": "endpoint.events.library", + "title": "Endpoint Library and Driver Events", + "index_pattern": "logs-endpoint.events.library-*" + }, + { + "dataset": "endpoint.events.network", + "title": "Endpoint Network Events", + "index_pattern": "logs-endpoint.events.network-*" + }, + { + "dataset": "endpoint.events.process", + "title": "Endpoint Process Events", + "index_pattern": "logs-endpoint.events.process-*" + }, + { + "dataset": "endpoint.events.registry", + "title": "Endpoint Registry Events", + "index_pattern": "logs-endpoint.events.registry-*" + }, + { + "dataset": "endpoint.events.security", + "title": "Endpoint Security Events", + "index_pattern": "logs-endpoint.events.security-*" + } + ], + "elser_embedding": "Elastic Defend - windows linux osx dns network process suspicious user registry host host-based endpoint analysis commandline cli command exfiltration ransomware detection system os operating traffic prevention file user modification integrity obfuscation powershell anomaly edr xdr - Endpoint API Events Endpoint File Events Endpoint Library and Driver Events Endpoint Network Events Endpoint Process Events Endpoint Registry Events Endpoint Security Events" + } +] \ No newline at end of file diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_base_client.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_base_client.ts index 4f0b65e063b77..14825326eee0e 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_base_client.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_base_client.ts @@ -5,9 +5,9 @@ * 2.0. */ +import type { SearchHit, SearchResponse } from '@elastic/elasticsearch/lib/api/types'; import type { ElasticsearchClient, Logger } from '@kbn/core/server'; import assert from 'assert'; -import type { SearchHit, SearchResponse } from '@elastic/elasticsearch/lib/api/types'; import type { Stored } from '../types'; import type { IndexNameProvider } from './rule_migrations_data_client'; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_client.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_client.ts index 40f4aa6bf786e..8960edd0cce21 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_client.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_client.ts @@ -6,8 +6,9 @@ */ import type { ElasticsearchClient, Logger } from '@kbn/core/server'; -import { RuleMigrationsDataRulesClient } from './rule_migrations_data_rules_client'; +import { RuleMigrationsDataIntegrationsClient } from './rule_migrations_data_integrations_client'; import { RuleMigrationsDataResourcesClient } from './rule_migrations_data_resources_client'; +import { RuleMigrationsDataRulesClient } from './rule_migrations_data_rules_client'; import type { AdapterId } from './rule_migrations_data_service'; export type IndexNameProvider = () => Promise; @@ -16,6 +17,7 @@ export type IndexNameProviders = Record; export class RuleMigrationsDataClient { public readonly rules: RuleMigrationsDataRulesClient; public readonly resources: RuleMigrationsDataResourcesClient; + public readonly integrations: RuleMigrationsDataIntegrationsClient; constructor( indexNameProviders: IndexNameProviders, @@ -35,5 +37,11 @@ export class RuleMigrationsDataClient { esClient, logger ); + this.integrations = new RuleMigrationsDataIntegrationsClient( + indexNameProviders.integrations, + username, + esClient, + logger + ); } } diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_integrations_client.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_integrations_client.ts new file mode 100644 index 0000000000000..3fdf1d11de36c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_integrations_client.ts @@ -0,0 +1,89 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Integration } from '../types'; +import { RuleMigrationsDataBaseClient } from './rule_migrations_data_base_client'; + +/* This will be removed once the package registry changes is performed */ +import integrationsFile from './integrations_temp.json'; + +/* The minimum score required for a integration to be considered correct, might need to change this later */ +const MIN_SCORE = 40 as const; +/* The number of integrations the RAG will return, sorted by score */ +const RETURNED_INTEGRATIONS = 5 as const; + +/* This is a temp implementation to allow further development until https://github.com/elastic/package-registry/issues/1252 */ +const INTEGRATIONS = integrationsFile as Integration[]; +/* BULK_MAX_SIZE defines the number to break down the bulk operations by. + * The 500 number was chosen as a reasonable number to avoid large payloads. It can be adjusted if needed. + */ +export class RuleMigrationsDataIntegrationsClient extends RuleMigrationsDataBaseClient { + /** Indexes an array of integrations to be used with ELSER semantic search queries */ + async create(): Promise { + const index = await this.getIndexName(); + await this.esClient + .bulk({ + refresh: 'wait_for', + operations: INTEGRATIONS.flatMap((integration) => [ + { update: { _index: index, _id: integration.id } }, + { + doc: { + title: integration.title, + description: integration.description, + data_streams: integration.data_streams, + elser_embedding: integration.elser_embedding, + '@timestamp': new Date().toISOString(), + }, + doc_as_upsert: true, + }, + ]), + }) + .catch((error) => { + this.logger.error(`Error indexing integration details for ELSER: ${error.message}`); + throw error; + }); + } + + /** Based on a LLM generated semantic string, returns the 5 best results with a score above 40 */ + async retrieveIntegrations(semanticString: string): Promise { + const index = await this.getIndexName(); + const query = { + bool: { + should: [ + { + semantic: { + query: semanticString, + field: 'elser_embedding', + boost: 1.5, + }, + }, + { + multi_match: { + query: semanticString, + fields: ['title^2', 'description'], + boost: 3, + }, + }, + ], + }, + }; + const results = await this.esClient + .search({ + index, + query, + size: RETURNED_INTEGRATIONS, + min_score: MIN_SCORE, + }) + .then(this.processResponseHits.bind(this)) + .catch((error) => { + this.logger.error(`Error querying integration details for ELSER: ${error.message}`); + throw error; + }); + + return results; + } +} diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_service.test.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_service.test.ts index e738bd85e2f1a..f8cc0c3f1c076 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_service.test.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_service.test.ts @@ -5,15 +5,15 @@ * 2.0. */ -import { INDEX_PATTERN, RuleMigrationsDataService } from './rule_migrations_data_service'; -import { Subject } from 'rxjs'; -import type { InstallParams } from '@kbn/index-adapter'; -import { IndexPatternAdapter } from '@kbn/index-adapter'; import { elasticsearchServiceMock } from '@kbn/core-elasticsearch-server-mocks'; -import { loggerMock } from '@kbn/logging-mocks'; import { loggingSystemMock } from '@kbn/core-logging-server-mocks'; import { securityServiceMock } from '@kbn/core-security-server-mocks'; +import type { InstallParams } from '@kbn/index-adapter'; +import { IndexPatternAdapter } from '@kbn/index-adapter'; +import { loggerMock } from '@kbn/logging-mocks'; +import { Subject } from 'rxjs'; import type { IndexNameProviders } from './rule_migrations_data_client'; +import { INDEX_PATTERN, RuleMigrationsDataService } from './rule_migrations_data_service'; jest.mock('@kbn/index-adapter'); @@ -42,7 +42,7 @@ describe('SiemRuleMigrationsDataService', () => { describe('constructor', () => { it('should create IndexPatternAdapters', () => { new RuleMigrationsDataService(logger, kibanaVersion); - expect(MockedIndexPatternAdapter).toHaveBeenCalledTimes(2); + expect(MockedIndexPatternAdapter).toHaveBeenCalledTimes(3); }); it('should create component templates', () => { @@ -54,6 +54,9 @@ describe('SiemRuleMigrationsDataService', () => { expect(indexPatternAdapter.setComponentTemplate).toHaveBeenCalledWith( expect.objectContaining({ name: `${INDEX_PATTERN}-resources` }) ); + expect(indexPatternAdapter.setComponentTemplate).toHaveBeenCalledWith( + expect.objectContaining({ name: `${INDEX_PATTERN}-integrations` }) + ); }); it('should create index templates', () => { @@ -65,6 +68,9 @@ describe('SiemRuleMigrationsDataService', () => { expect(indexPatternAdapter.setIndexTemplate).toHaveBeenCalledWith( expect.objectContaining({ name: `${INDEX_PATTERN}-resources` }) ); + expect(indexPatternAdapter.setIndexTemplate).toHaveBeenCalledWith( + expect.objectContaining({ name: `${INDEX_PATTERN}-integrations` }) + ); }); }); @@ -92,8 +98,11 @@ describe('SiemRuleMigrationsDataService', () => { logger: loggerMock.create(), pluginStop$: new Subject(), }; - const [rulesIndexPatternAdapter, resourcesIndexPatternAdapter] = - MockedIndexPatternAdapter.mock.instances; + const [ + rulesIndexPatternAdapter, + resourcesIndexPatternAdapter, + integrationsIndexPatternAdapter, + ] = MockedIndexPatternAdapter.mock.instances; (rulesIndexPatternAdapter.install as jest.Mock).mockResolvedValueOnce(undefined); await index.install(params); @@ -101,12 +110,16 @@ describe('SiemRuleMigrationsDataService', () => { await mockIndexNameProviders.rules(); await mockIndexNameProviders.resources(); + await mockIndexNameProviders.integrations(); expect(rulesIndexPatternAdapter.createIndex).toHaveBeenCalledWith('space1'); expect(rulesIndexPatternAdapter.getIndexName).toHaveBeenCalledWith('space1'); expect(resourcesIndexPatternAdapter.createIndex).toHaveBeenCalledWith('space1'); expect(resourcesIndexPatternAdapter.getIndexName).toHaveBeenCalledWith('space1'); + + expect(integrationsIndexPatternAdapter.createIndex).toHaveBeenCalledWith('space1'); + expect(integrationsIndexPatternAdapter.getIndexName).toHaveBeenCalledWith('space1'); }); }); }); diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_service.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_service.ts index c19a89cefd81a..ceff8e05f9f2f 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_service.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_service.ts @@ -6,17 +6,18 @@ */ import type { AuthenticatedUser, ElasticsearchClient, Logger } from '@kbn/core/server'; import { IndexPatternAdapter, type FieldMap, type InstallParams } from '@kbn/index-adapter'; +import type { IndexNameProvider, IndexNameProviders } from './rule_migrations_data_client'; +import { RuleMigrationsDataClient } from './rule_migrations_data_client'; import { - ruleMigrationsFieldMap, + integrationsFieldMap, ruleMigrationResourcesFieldMap, + ruleMigrationsFieldMap, } from './rule_migrations_field_maps'; -import type { IndexNameProvider, IndexNameProviders } from './rule_migrations_data_client'; -import { RuleMigrationsDataClient } from './rule_migrations_data_client'; const TOTAL_FIELDS_LIMIT = 2500; export const INDEX_PATTERN = '.kibana-siem-rule-migrations'; -export type AdapterId = 'rules' | 'resources'; +export type AdapterId = 'rules' | 'resources' | 'integrations'; interface CreateClientParams { spaceId: string; @@ -31,6 +32,7 @@ export class RuleMigrationsDataService { this.adapters = { rules: this.createAdapter({ id: 'rules', fieldMap: ruleMigrationsFieldMap }), resources: this.createAdapter({ id: 'resources', fieldMap: ruleMigrationResourcesFieldMap }), + integrations: this.createAdapter({ id: 'integrations', fieldMap: integrationsFieldMap }), }; } @@ -49,6 +51,7 @@ export class RuleMigrationsDataService { await Promise.all([ this.adapters.rules.install({ ...params, logger: this.logger }), this.adapters.resources.install({ ...params, logger: this.logger }), + this.adapters.integrations.install({ ...params, logger: this.logger }), ]); } @@ -56,6 +59,7 @@ export class RuleMigrationsDataService { const indexNameProviders: IndexNameProviders = { rules: this.createIndexNameProvider('rules', spaceId), resources: this.createIndexNameProvider('resources', spaceId), + integrations: this.createIndexNameProvider('integrations', spaceId), }; return new RuleMigrationsDataClient( diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_field_maps.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_field_maps.ts index 3811ff74b5ca1..8e8a3c5ee0f27 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_field_maps.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_field_maps.ts @@ -26,6 +26,7 @@ export const ruleMigrationsFieldMap: FieldMap { - const resourcesContext = []; - if (resources.macro?.length) { - const macrosSummary = resources.macro - .map((macro) => `\`${macro.name}\`: ${macro.content}`) - .join('\n'); - resourcesContext.push('<>', macrosSummary, '<>'); - } - if (resources.list?.length) { - const lookupsSummary = resources.list - .map((list) => `lookup ${list.name}: ${list.content}`) - .join('\n'); - resourcesContext.push('<>', lookupsSummary, '<>'); - } - return resourcesContext.join('\n'); -}; - -export const getReplaceQueryResourcesPrompt = ( - state: MigrateRuleState, - resources: RuleMigrationResources -): string => { - const resourcesContext = getResourcesContext(resources); - return `You are an agent expert in Splunk SPL (Search Processing Language). -Your task is to inline a set of macros and lookup table values in a SPL query. - -## Guidelines: - -- You will be provided with a SPL query and also the resources reference with the values of macros and lookup tables. -- You have to replace the macros and lookup tables in the SPL query with their actual values. -- The original and modified queries must be equivalent. -- Macros names have the number of arguments in parentheses, e.g., \`macroName(2)\`. You must replace the correct macro accounting for the number of arguments. - -## Process: - -- Go through the SPL query and identify all the macros and lookup tables that are used. Two scenarios may arise: - - The macro or lookup table is provided in the resources: Replace the call by their actual value in the query. - - The macro or lookup table is not provided in the resources: Keep the call in the query as it is. - -## Example: - Having the following macros: - \`someSource\`: sourcetype="somesource" - \`searchTitle(1)\`: search title="$value$" - \`searchTitle\`: search title=* - \`searchType\`: search type=* - And the following SPL query: - \`\`\`spl - \`someSource\` \`someFilter\` - | \`searchTitle("sometitle")\` - | \`searchType("sometype")\` - | table * - \`\`\` - The correct replacement would be: - \`\`\`spl - sourcetype="somesource" \`someFilter\` - | search title="sometitle" - | \`searchType("sometype")\` - | table * - \`\`\` - -## Important: You must respond only with the modified query inside a \`\`\`spl code block, nothing else. - -# Find the macros and lookup tables below: - -${resourcesContext} - -# Find the SPL query below: - -\`\`\`spl -${state.original_rule.query} -\`\`\` - -`; -}; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/graph.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/graph.ts new file mode 100644 index 0000000000000..f986098e9deb0 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/graph.ts @@ -0,0 +1,53 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { END, START, StateGraph } from '@langchain/langgraph'; +import { getProcessQueryNode } from './nodes/process_query'; +import { getRetrieveIntegrationsNode } from './nodes/retrieve_integrations'; +import { getTranslateRuleNode } from './nodes/translate_rule'; +import { translateRuleState } from './state'; +import type { TranslateRuleGraphParams } from './types'; + +export function getTranslateRuleGraph({ + model, + inferenceClient, + resourceRetriever, + integrationRetriever, + connectorId, + logger, +}: TranslateRuleGraphParams) { + const translateRuleNode = getTranslateRuleNode({ + model, + inferenceClient, + resourceRetriever, + connectorId, + logger, + }); + const processQueryNode = getProcessQueryNode({ + model, + resourceRetriever, + }); + const retrieveIntegrationsNode = getRetrieveIntegrationsNode({ + model, + integrationRetriever, + }); + + const translateRuleGraph = new StateGraph(translateRuleState) + // Nodes + .addNode('processQuery', processQueryNode) + .addNode('retrieveIntegrations', retrieveIntegrationsNode) + .addNode('translateRule', translateRuleNode) + // Edges + .addEdge(START, 'processQuery') + .addEdge('processQuery', 'retrieveIntegrations') + .addEdge('retrieveIntegrations', 'translateRule') + .addEdge('translateRule', END); + + const graph = translateRuleGraph.compile(); + graph.name = 'Translate Rule Graph'; + return graph; +} diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/index.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/index.ts similarity index 81% rename from x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/index.ts rename to x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/index.ts index 7d247f755e9da..6a2b7e9cebd7e 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/index.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/index.ts @@ -4,4 +4,5 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -export { getTranslateQueryNode } from './translate_query'; + +export { getTranslateRuleGraph } from './graph'; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/index.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/index.ts new file mode 100644 index 0000000000000..6feb852eba474 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/index.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +export { getProcessQueryNode } from './process_query'; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/process_query.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/process_query.ts new file mode 100644 index 0000000000000..0f90d74dafba3 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/process_query.ts @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { StringOutputParser } from '@langchain/core/output_parsers'; +import { isEmpty } from 'lodash/fp'; +import type { ChatModel } from '../../../../../util/actions_client_chat'; +import type { RuleResourceRetriever } from '../../../../../util/rule_resource_retriever'; +import type { GraphNode } from '../../types'; +import { getReplaceQueryResourcesPrompt } from './prompts'; + +interface GetProcessQueryNodeParams { + model: ChatModel; + resourceRetriever: RuleResourceRetriever; +} + +export const getProcessQueryNode = ({ + model, + resourceRetriever, +}: GetProcessQueryNodeParams): GraphNode => { + return async (state) => { + let query = state.original_rule.query; + const resources = await resourceRetriever.getResources(state.original_rule); + if (!isEmpty(resources)) { + const replaceQueryResourcesPrompt = getReplaceQueryResourcesPrompt(state, resources); + const stringParser = new StringOutputParser(); + query = await model.pipe(stringParser).invoke(replaceQueryResourcesPrompt); + } + return { inline_query: query }; + }; +}; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/prompts.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/prompts.ts new file mode 100644 index 0000000000000..5d2e6648c1d85 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/prompts.ts @@ -0,0 +1,123 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { RuleMigrationResources } from '../../../../../util/rule_resource_retriever'; +import type { TranslateRuleState } from '../../types'; + +const getResourcesContext = (resources: RuleMigrationResources): string => { + const resourcesContext = []; + if (resources.macro?.length) { + const macrosSummary = resources.macro + .map((macro) => `\`${macro.name}\`: ${macro.content}`) + .join('\n'); + resourcesContext.push('<>', macrosSummary, '<>'); + } + if (resources.list?.length) { + const lookupsSummary = resources.list + .map((list) => `lookup ${list.name}: ${list.content}`) + .join('\n'); + resourcesContext.push('<>', lookupsSummary, '<>'); + } + return resourcesContext.join('\n'); +}; + +export const getReplaceQueryResourcesPrompt = ( + state: TranslateRuleState, + resources: RuleMigrationResources +): string => { + const resourcesContext = getResourcesContext(resources); + return `You are an agent expert in Splunk SPL (Search Processing Language). +Your task is to inline a set of macros and lookup tables syntax using their values in a SPL query. + +# Guidelines +- You will be provided with a SPL query and also the resources reference with the values of macros and lookup tables. +- You have to replace the macros and lookup tables syntax in the SPL query and use their values inline, if provided. +- The original and modified queries must be equivalent. + +# Process +- Go through the SPL query and identify all the macros and lookup tables that are used. Two scenarios may arise: + - The macro or lookup table is provided in the resources: Replace it using its actual content. + - The macro or lookup table is not provided in the resources: Do not replace it, keep it in the query as it is. + +## Macros replacements + +### Notes: +- Macros names have the number of arguments in parentheses, e.g., \`macroName(2)\`. You must replace the correct macro accounting for the number of arguments. + +### Example: + Having the following macros: + \`someSource\`: sourcetype="somesource" + \`searchTitle(1)\`: search title="$value$" + \`searchTitle\`: search title=* + \`searchType\`: search type=* + And the following SPL query: + \`\`\`spl + \`someSource\` \`someFilter\` + | \`searchTitle("sometitle")\` + | \`searchType("sometype")\` + | table * + \`\`\` + The correct replacement would be: + \`\`\`spl + sourcetype="somesource" \`someFilter\` + | search title="sometitle" + | \`searchType("sometype")\` + | table * + \`\`\` + +## Lookups replacements + +### Notes: +- OUTPUTNEW and OUTPUT fields should be replaced with the values from the lookup table. +- Use the \`case\` function to evaluate conditions in the same order provided by the lookup table. +- Ensure all lookup matching fields are correctly matched to their respective case conditions. +- If there are more than one field to match, use the \`AND\` operator to combine them inside the \`case\` function. +- The transformed SPL query should function equivalently to the original query with the \`lookup\` command. + +### Example: + Having the following lookup table: + uid,username,department + 1066,Claudia Garcia,Engineering + 1690,Rutherford Sullivan,Engineering + 1815,Vanya Patel,IT + 1862,Wei Zhang,Engineering + 1916,Alex Martin,Personnel + And the following SPL query: + \`\`\`spl + ... | lookup users uid OUTPUTNEW username, department + \`\`\` + The correct replacement would be: + \`\`\`spl + ... | eval username=case(uid=1066, "Claudia Garcia", + uid=1690, "Rutherford Sullivan", + uid=1815, "Vanya Patel", + uid=1862, "Wei Zhang", + uid=1916, "Alex Martin", + true, null), + department=case(uid=1066, "Engineering", + uid=1690, "Engineering", + uid=1815, "IT", + uid=1862, "Engineering", + uid=1916, "Personnel", + true, null) + \`\`\` + + +## Important: You must respond only with the modified query inside a \`\`\`spl code block, nothing else. + +# Find the macros and lookup tables below: + +${resourcesContext} + +# Find the SPL query below: + +\`\`\`spl +${state.original_rule.query} +\`\`\` + +`; +}; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/index.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/index.ts new file mode 100644 index 0000000000000..7db89035c6ad7 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/index.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +export { getRetrieveIntegrationsNode } from './retrieve_integrations'; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/prompts.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/prompts.ts new file mode 100644 index 0000000000000..4d15ad71d6794 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/prompts.ts @@ -0,0 +1,48 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ChatPromptTemplate } from '@langchain/core/prompts'; + +export const CREATE_SEMANTIC_QUERY_PROMPT = ChatPromptTemplate.fromMessages([ + [ + 'system', + `You are a helpful assistant that helps in translating provided titles, descriptions and data sources into a single summary of keywords specifically crafted to be used as a semantic search query, which are usually short and includes keywords that are valid for the usecase. + The data provided are collected from SIEM detection rules, and it is trying to match the description of a list of data sources, so provide good keywords that match this usecase. + Try to also detect what sort of vendor, solution or technology is required and add these as keywords as well. + Some examples would be to identify if its cloud, which vendor, network, host, endpoint, etc.`, + ], + [ + 'human', + ` +Title: {title} +Description: {description} +Query: {query} + + +Go through the relevant title, description and data sources from the above query and create a collection of keywords specifically crafted to be used as a semantic search query. + + +- The query should be short and concise. +- Include keywords that are relevant to the use case. +- Add related keywords you detected from the above query, like one or more vendor, product, cloud provider, OS platform etc. +- Always reply with a JSON object with the key "query" and the value as the semantic search query inside three backticks as shown in the below example. + + + +U: +Title: Processes created by netsh +Description: This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. +Data Sources: + +A: Please find the query keywords JSON object below: +\`\`\`json +{{"query": "windows host endpoint netsh.exe process creation command-line utility network configuration persistence proxy dll execution sysmon event id 1"}} +\`\`\` +`, + ], + ['ai', 'Please find the query keywords JSON object below:'], +]); diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/retrieve_integrations.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/retrieve_integrations.ts new file mode 100644 index 0000000000000..18577532fdf66 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/retrieve_integrations.ts @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { JsonOutputParser } from '@langchain/core/output_parsers'; +import type { ChatModel } from '../../../../../util/actions_client_chat'; +import type { IntegrationRetriever } from '../../../../../util/integration_retriever'; +import type { GraphNode } from '../../types'; +import { CREATE_SEMANTIC_QUERY_PROMPT } from './prompts'; + +interface GetRetrieveIntegrationsNodeParams { + model: ChatModel; + integrationRetriever: IntegrationRetriever; +} + +interface GetSemanticQueryResponse { + query: string; +} + +export const getRetrieveIntegrationsNode = ({ + model, + integrationRetriever, +}: GetRetrieveIntegrationsNodeParams): GraphNode => { + const jsonParser = new JsonOutputParser(); + const semanticQueryChain = CREATE_SEMANTIC_QUERY_PROMPT.pipe(model).pipe(jsonParser); + + return async (state) => { + const query = state.inline_query; + + const integrationQuery = (await semanticQueryChain.invoke({ + title: state.original_rule.title, + description: state.original_rule.description, + query, + })) as GetSemanticQueryResponse; + + const integrations = await integrationRetriever.getIntegrations(integrationQuery.query); + return { + integrations, + }; + }; +}; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/esql_knowledge_base_caller.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/esql_knowledge_base_caller.ts similarity index 100% rename from x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/esql_knowledge_base_caller.ts rename to x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/esql_knowledge_base_caller.ts diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/index.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/index.ts new file mode 100644 index 0000000000000..c8c5678b7f2f5 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/index.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +export { getTranslateRuleNode } from './translate_rule'; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/prompts/esql_translation_prompt.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/prompts.ts similarity index 85% rename from x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/prompts/esql_translation_prompt.ts rename to x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/prompts.ts index 05e3c5c63bbe3..3e77353bba8b1 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/prompts/esql_translation_prompt.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/prompts.ts @@ -5,9 +5,12 @@ * 2.0. */ -import type { MigrateRuleState } from '../../../types'; +import type { TranslateRuleState } from '../../types'; -export const getEsqlTranslationPrompt = (state: MigrateRuleState, query: string): string => { +export const getEsqlTranslationPrompt = ( + state: TranslateRuleState, + indexPatterns: string +): string => { return `You are a helpful cybersecurity (SIEM) expert agent. Your task is to migrate "detection rules" from Splunk to Elastic Security. Your goal is to translate the SPL query into an equivalent Elastic Security Query Language (ES|QL) query. @@ -19,7 +22,7 @@ Your goal is to translate the SPL query into an equivalent Elastic Security Quer ## Guidelines: - Analyze the SPL query and identify the key components. - Translate the SPL query into an equivalent ES|QL query using ECS (Elastic Common Schema) field names. -- Always use logs* index pattern for the ES|QL translated query. +- Always start the generated ES|QL query by filtering FROM using these index patterns in the translated query: ${indexPatterns}. - If, in the SPL query, you find a lookup list or macro call, mention it in the summary and add a placeholder in the query with the format [macro:(argumentCount)] or [lookup:] including the [] keys, - Examples: - \`get_duration(firstDate,secondDate)\` -> [macro:get_duration(2)] @@ -40,7 +43,7 @@ ${state.original_rule.description} <> <> -${query} +${state.inline_query} <> `; }; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/translate_query.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts similarity index 61% rename from x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/translate_query.ts rename to x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts index e12d3b96ceb3f..3fcd968b55650 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/translate_query.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts @@ -7,17 +7,14 @@ import type { Logger } from '@kbn/core/server'; import type { InferenceClient } from '@kbn/inference-plugin/server'; -import { StringOutputParser } from '@langchain/core/output_parsers'; -import { isEmpty } from 'lodash/fp'; +import { SiemMigrationRuleTranslationResult } from '../../../../../../../../../../common/siem_migrations/constants'; +import type { ChatModel } from '../../../../../util/actions_client_chat'; +import type { RuleResourceRetriever } from '../../../../../util/rule_resource_retriever'; import type { GraphNode } from '../../types'; import { getEsqlKnowledgeBase } from './esql_knowledge_base_caller'; -import { getReplaceQueryResourcesPrompt } from './prompts/replace_resources_prompt'; -import { getEsqlTranslationPrompt } from './prompts/esql_translation_prompt'; -import { SiemMigrationRuleTranslationResult } from '../../../../../../../../common/siem_migrations/constants'; -import type { RuleResourceRetriever } from '../../../util/rule_resource_retriever'; -import type { ChatModel } from '../../../util/actions_client_chat'; +import { getEsqlTranslationPrompt } from './prompts'; -interface GetTranslateQueryNodeParams { +interface GetTranslateRuleNodeParams { model: ChatModel; inferenceClient: InferenceClient; resourceRetriever: RuleResourceRetriever; @@ -25,25 +22,19 @@ interface GetTranslateQueryNodeParams { logger: Logger; } -export const getTranslateQueryNode = ({ - model, +export const getTranslateRuleNode = ({ inferenceClient, - resourceRetriever, connectorId, logger, -}: GetTranslateQueryNodeParams): GraphNode => { +}: GetTranslateRuleNodeParams): GraphNode => { const esqlKnowledgeBaseCaller = getEsqlKnowledgeBase({ inferenceClient, connectorId, logger }); return async (state) => { - let query = state.original_rule.query; + const indexPatterns = state.integrations.flatMap((integration) => + integration.data_streams.map((dataStream) => dataStream.index_pattern) + ); + const integrationIds = state.integrations.map((integration) => integration.id); - const resources = await resourceRetriever.getResources(state.original_rule); - if (!isEmpty(resources)) { - const replaceQueryResourcesPrompt = getReplaceQueryResourcesPrompt(state, resources); - const stringParser = new StringOutputParser(); - query = await model.pipe(stringParser).invoke(replaceQueryResourcesPrompt); - } - - const prompt = getEsqlTranslationPrompt(state, query); + const prompt = getEsqlTranslationPrompt(state, indexPatterns.join(' ')); const response = await esqlKnowledgeBaseCaller(prompt); const esqlQuery = response.match(/```esql\n([\s\S]*?)\n```/)?.[1] ?? ''; @@ -57,6 +48,7 @@ export const getTranslateQueryNode = ({ translation_result: translationResult, elastic_rule: { title: state.original_rule.title, + integration_ids: integrationIds, description: state.original_rule.description, severity: 'low', query: esqlQuery, diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/state.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/state.ts new file mode 100644 index 0000000000000..8c8e9780aedf8 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/state.ts @@ -0,0 +1,48 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { BaseMessage } from '@langchain/core/messages'; +import { Annotation, messagesStateReducer } from '@langchain/langgraph'; +import { SiemMigrationRuleTranslationResult } from '../../../../../../../../common/siem_migrations/constants'; +import type { + ElasticRule, + OriginalRule, + RuleMigration, +} from '../../../../../../../../common/siem_migrations/model/rule_migration.gen'; +import type { Integration } from '../../../../types'; + +export const translateRuleState = Annotation.Root({ + messages: Annotation({ + reducer: messagesStateReducer, + default: () => [], + }), + original_rule: Annotation(), + integrations: Annotation({ + reducer: (current, value) => value ?? current, + default: () => [], + }), + inline_query: Annotation({ + reducer: (current, value) => value ?? current, + default: () => '', + }), + elastic_rule: Annotation({ + reducer: (state, action) => ({ ...state, ...action }), + default: () => ({} as ElasticRule), + }), + translation_result: Annotation({ + reducer: (current, value) => value ?? current, + default: () => SiemMigrationRuleTranslationResult.UNTRANSLATABLE, + }), + comments: Annotation({ + reducer: (current, value) => (value ? (current ?? []).concat(value) : current), + default: () => [], + }), + response: Annotation({ + reducer: (current, value) => value ?? current, + default: () => '', + }), +}); diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/types.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/types.ts new file mode 100644 index 0000000000000..42bf8e14c5924 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/types.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Logger } from '@kbn/core/server'; +import type { InferenceClient } from '@kbn/inference-plugin/server'; +import type { ChatModel } from '../../../util/actions_client_chat'; +import type { IntegrationRetriever } from '../../../util/integration_retriever'; +import type { RuleResourceRetriever } from '../../../util/rule_resource_retriever'; +import type { translateRuleState } from './state'; + +export type TranslateRuleState = typeof translateRuleState.State; +export type GraphNode = (state: TranslateRuleState) => Promise>; + +export interface TranslateRuleGraphParams { + inferenceClient: InferenceClient; + model: ChatModel; + connectorId: string; + resourceRetriever: RuleResourceRetriever; + integrationRetriever: IntegrationRetriever; + logger: Logger; +} diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/types.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/types.ts index 975c03439842e..046083140e5e5 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/types.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/types.ts @@ -7,10 +7,11 @@ import type { Logger } from '@kbn/core/server'; import type { InferenceClient } from '@kbn/inference-plugin/server'; -import type { migrateRuleState } from './state'; import type { ChatModel } from '../util/actions_client_chat'; +import type { IntegrationRetriever } from '../util/integration_retriever'; import type { PrebuiltRulesMapByName } from '../util/prebuilt_rules'; import type { RuleResourceRetriever } from '../util/rule_resource_retriever'; +import type { migrateRuleState } from './state'; export type MigrateRuleState = typeof migrateRuleState.State; export type GraphNode = (state: MigrateRuleState) => Promise>; @@ -21,5 +22,6 @@ export interface MigrateRuleGraphParams { connectorId: string; prebuiltRulesMap: PrebuiltRulesMapByName; resourceRetriever: RuleResourceRetriever; + integrationRetriever: IntegrationRetriever; logger: Logger; } diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/rule_migrations_task_client.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/rule_migrations_task_client.ts index 989c33a44cb36..b7cc545001f91 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/rule_migrations_task_client.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/rule_migrations_task_client.ts @@ -15,18 +15,19 @@ import type { } from '../../../../../common/siem_migrations/model/rule_migration.gen'; import type { RuleMigrationsDataClient } from '../data/rule_migrations_data_client'; import type { RuleMigrationDataStats } from '../data/rule_migrations_data_rules_client'; +import { getRuleMigrationAgent } from './agent'; +import type { MigrateRuleState } from './agent/types'; import type { + MigrationAgent, + RuleMigrationTaskPrepareParams, + RuleMigrationTaskRunParams, RuleMigrationTaskStartParams, RuleMigrationTaskStartResult, RuleMigrationTaskStopResult, - RuleMigrationTaskPrepareParams, - RuleMigrationTaskRunParams, - MigrationAgent, } from './types'; -import { getRuleMigrationAgent } from './agent'; -import type { MigrateRuleState } from './agent/types'; -import { retrievePrebuiltRulesMap } from './util/prebuilt_rules'; import { ActionsClientChat } from './util/actions_client_chat'; +import { IntegrationRetriever } from './util/integration_retriever'; +import { retrievePrebuiltRulesMap } from './util/prebuilt_rules'; import { RuleResourceRetriever } from './util/rule_resource_retriever'; const ITERATION_BATCH_SIZE = 50 as const; @@ -89,6 +90,7 @@ export class RuleMigrationsTaskClient { }: RuleMigrationTaskPrepareParams): Promise { const prebuiltRulesMap = await retrievePrebuiltRulesMap({ soClient, rulesClient }); const resourceRetriever = new RuleResourceRetriever(migrationId, this.data); + const integrationRetriever = new IntegrationRetriever(this.data); const actionsClientChat = new ActionsClientChat(connectorId, actionsClient, this.logger); const model = await actionsClientChat.createModel({ @@ -102,6 +104,7 @@ export class RuleMigrationsTaskClient { inferenceClient, prebuiltRulesMap, resourceRetriever, + integrationRetriever, logger: this.logger, }); return agent; diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/integration_retriever.test.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/integration_retriever.test.ts new file mode 100644 index 0000000000000..2aa01a9c9c41d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/integration_retriever.test.ts @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { MockRuleMigrationsDataClient } from '../../data/__mocks__/mocks'; +import { IntegrationRetriever } from './integration_retriever'; + +describe('IntegrationRetriever', () => { + let integrationRetriever: IntegrationRetriever; + const mockRuleMigrationsDataClient = new MockRuleMigrationsDataClient(); + const mockIntegrationItem = { + id: '1', + title: 'Integration 1', + description: 'Integration 1 description', + data_streams: [{ dataset: 'test', title: 'dstitle', index_pattern: 'logs-*' }], + elser_embedding: 'elser_embedding', + }; + beforeEach(() => { + integrationRetriever = new IntegrationRetriever(mockRuleMigrationsDataClient); + mockRuleMigrationsDataClient.integrations.retrieveIntegrations.mockImplementation( + async (_: string) => { + return mockIntegrationItem; + } + ); + }); + + it('should retrieve integrations', async () => { + const result = await integrationRetriever.getIntegrations('test'); + + expect(mockRuleMigrationsDataClient.integrations.retrieveIntegrations).toHaveBeenCalledWith( + 'test' + ); + expect(result).toEqual(mockIntegrationItem); + }); +}); diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/integration_retriever.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/integration_retriever.ts new file mode 100644 index 0000000000000..7913e2c438081 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/integration_retriever.ts @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { RuleMigrationsDataClient } from '../../data/rule_migrations_data_client'; +import type { Integration } from '../../types'; + +export class IntegrationRetriever { + constructor(private readonly dataClient: RuleMigrationsDataClient) {} + + public async getIntegrations(semanticString: string): Promise { + return this.integrationRetriever(semanticString); + } + + private integrationRetriever = async (semanticString: string): Promise => { + const integrations = await this.dataClient.integrations.retrieveIntegrations(semanticString); + + return integrations; + }; +} diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/types.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/types.ts index e506b43cc323b..f8a0f0b3b25a7 100644 --- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/types.ts +++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/types.ts @@ -14,3 +14,11 @@ export type Stored = T & { id: string }; export type StoredRuleMigration = Stored; export type StoredRuleMigrationResource = Stored; + +export interface Integration { + title: string; + id: string; + description: string; + data_streams: Array<{ dataset: string; title: string; index_pattern: string }>; + elser_embedding: string; +}