diff --git a/internal/testrunner/runners/asset/runner.go b/internal/testrunner/runners/asset/runner.go
index 6c4574891..58579c5d3 100644
--- a/internal/testrunner/runners/asset/runner.go
+++ b/internal/testrunner/runners/asset/runner.go
@@ -51,7 +51,7 @@ func (r runner) CanRunPerDataStream() bool {
}
// Run runs the asset loading tests
-func (r runner) Run(options testrunner.TestOptions) ([]testrunner.TestResult, error) {
+func (r *runner) Run(options testrunner.TestOptions) ([]testrunner.TestResult, error) {
r.testFolder = options.TestFolder
r.packageRootPath = options.PackageRootPath
@@ -82,7 +82,11 @@ func (r *runner) run() ([]testrunner.TestResult, error) {
if err != nil {
return result.WithError(errors.Wrap(err, "could not create kibana client"))
}
- packageInstaller, err := installer.CreateForManifest(kibanaClient, r.packageRootPath)
+ packageInstaller, err := installer.NewForPackage(installer.Options{
+ Kibana: kibanaClient,
+ RootPath: r.packageRootPath,
+ SkipValidation: true,
+ })
if err != nil {
return result.WithError(errors.Wrap(err, "can't create the package installer"))
}
@@ -92,9 +96,18 @@ func (r *runner) run() ([]testrunner.TestResult, error) {
}
r.removePackageHandler = func() error {
+ pkgManifest, err := packages.ReadPackageManifestFromPackageRoot(r.packageRootPath)
+ if err != nil {
+ return fmt.Errorf("reading package manifest failed: %w", err)
+ }
+
logger.Debug("removing package...")
- if err := packageInstaller.Uninstall(); err != nil {
- return errors.Wrap(err, "error cleaning up package")
+ err = packageInstaller.Uninstall()
+
+ // by default system package is part of an agent policy and it cannot be uninstalled
+ // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62
+ if err != nil && pkgManifest.Name != "system" {
+ logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error())
}
return nil
}
diff --git a/internal/testrunner/runners/system/runner.go b/internal/testrunner/runners/system/runner.go
index af26e2d82..b9ca09d4b 100644
--- a/internal/testrunner/runners/system/runner.go
+++ b/internal/testrunner/runners/system/runner.go
@@ -496,8 +496,13 @@ func (r *runner) runTest(config *testConfig, ctxt servicedeployer.ServiceContext
}
r.deletePackageHandler = func() error {
err := installer.Uninstall()
- if err != nil {
- return fmt.Errorf("failed to uninstall package: %v", err)
+
+ // by default system package is part of an agent policy and it cannot be uninstalled
+ // https://github.com/elastic/elastic-package/blob/5f65dc29811c57454bc7142aaf73725b6d4dc8e6/internal/stack/_static/kibana.yml.tmpl#L62
+ if err != nil && pkgManifest.Name != "system" {
+ // logging the error as a warning and not returning it since there could be other reasons that could make fail this process
+ // for instance being defined a test agent policy where this package is used for debugging purposes
+ logger.Warnf("failed to uninstall package %q: %s", pkgManifest.Name, err.Error())
}
return nil
}
diff --git a/internal/testrunner/testrunner.go b/internal/testrunner/testrunner.go
index e81fa4481..937a53c06 100644
--- a/internal/testrunner/testrunner.go
+++ b/internal/testrunner/testrunner.go
@@ -274,7 +274,7 @@ func Run(testType TestType, options TestOptions) ([]TestResult, error) {
return nil, errors.Wrap(err, "could not complete test run")
}
if tdErr != nil {
- return results, errors.Wrap(err, "could not teardown test runner")
+ return results, errors.Wrap(tdErr, "could not teardown test runner")
}
return results, nil
}
diff --git a/scripts/links_table.yml b/scripts/links_table.yml
index 17c9fccd5..573fcebc5 100644
--- a/scripts/links_table.yml
+++ b/scripts/links_table.yml
@@ -1,2 +1,3 @@
links:
elastic-main: "https://www.elastic.co/guide"
+ getting-started-observability: "https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html"
diff --git a/test/packages/parallel/system/_dev/build/build.yml b/test/packages/parallel/system/_dev/build/build.yml
new file mode 100644
index 000000000..47cbed9fe
--- /dev/null
+++ b/test/packages/parallel/system/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v8.0.0
diff --git a/test/packages/parallel/system/_dev/build/docs/README.md b/test/packages/parallel/system/_dev/build/docs/README.md
new file mode 100644
index 000000000..620f2a673
--- /dev/null
+++ b/test/packages/parallel/system/_dev/build/docs/README.md
@@ -0,0 +1,366 @@
+# System Integration
+
+The System integration allows you to monitor servers, personal computers, and more.
+
+Use the System integration to collect metrics and logs from your machines.
+Then visualize that data in Kibana, create alerts to notify you if something goes wrong,
+and reference data when troubleshooting an issue.
+
+For example, if you wanted to be notified when less than 10% of the disk space is still available, you
+could install the System integration to send file system metrics to Elastic.
+Then, you could view real-time updates to disk space used on your system in Kibana's _[Metrics System] Overview_ dashboard.
+You could also set up a new rule in the Elastic Observability Metrics app to alert you when the percent free is
+less than 10% of the total disk space.
+
+## Data streams
+
+The System integration collects two types of data: logs and metrics.
+
+**Logs** help you keep a record of events that happen on your machine.
+Log data streams collected by the System integration include application, system, and security events on
+machines running Windows and auth and syslog events on machines running macOS or Linux.
+See more details in the [Logs reference](#logs-reference).
+
+**Metrics** give you insight into the state of the machine.
+Metric data streams collected by the System integration include CPU usage, load statistics, memory usage,
+information on network behavior, and more.
+See more details in the [Metrics reference](#metrics-reference).
+
+You can enable and disable individual data streams. If _all_ data streams are disabled and the System integration
+is still enabled, Fleet uses the default data streams.
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
+You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+Each data stream collects different kinds of metric data, which may require dedicated permissions
+to be fetched and which may vary across operating systems.
+Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference).
+
+## Setup
+
+For step-by-step instructions on how to set up an integration, see the
+{{ url "getting-started-observability" "Getting started" }} guide.
+
+## Troubleshooting
+
+Note that certain data streams may access `/proc` to gather process information,
+and the resulting `ptrace_may_access()` call by the kernel to check for
+permissions can be blocked by
+[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly.
+
+In addition, when running inside a container the proc filesystem directory of the host
+should be set using `system.hostfs` setting to `/hostfs`.
+
+### Windows Event ID clause limit
+
+If you specify more than 22 query conditions (event IDs or event ID ranges), some
+versions of Windows will prevent the integration from reading the event log due to
+limits in the query system. If this occurs, a similar warning as shown below:
+
+```
+The specified query is invalid.
+```
+
+In some cases, the limit may be lower than 22 conditions. For instance, using a
+mixture of ranges and single event IDs, along with an additional parameter such
+as `ignore older`, results in a limit of 21 conditions.
+
+If you have more than 22 conditions, you can work around this Windows limitation
+by using a drop_event processor to do the filtering after filebeat has received
+the events from Windows. The filter shown below is equivalent to
+`event_id: 903, 1024, 2000-2004, 4624` but can be expanded beyond 22 event IDs.
+
+```yaml
+- drop_event.when.not.or:
+ - equals.winlog.event_id: "903"
+ - equals.winlog.event_id: "1024"
+ - equals.winlog.event_id: "4624"
+ - range:
+ winlog.event_id.gte: 2000
+ winlog.event_id.lte: 2004
+```
+
+## Logs reference
+
+### Application
+
+The Windows `application` data stream provides events from the Windows
+`Application` event log.
+
+#### Supported operating systems
+
+- Windows
+
+{{fields "application"}}
+
+### System
+
+The Windows `system` data stream provides events from the Windows `System`
+event log.
+
+#### Supported operating systems
+
+- Windows
+
+{{fields "system"}}
+
+
+### Security
+
+The Windows `security` data stream provides events from the Windows
+`Security` event log.
+
+#### Supported operating systems
+
+- Windows
+
+{{event "security"}}
+
+{{fields "security"}}
+
+### Auth
+
+The `auth` data stream provides auth logs.
+
+#### Supported operating systems
+
+- macOS prior to 10.8
+- Linux
+
+{{fields "auth"}}
+
+### syslog
+
+The `syslog` data stream provides system logs.
+
+#### Supported operating systems
+
+- macOS
+- Linux
+
+{{fields "syslog"}}
+
+## Metrics reference
+
+### Core
+
+The System `core` data stream provides usage statistics for each CPU core.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "core"}}
+
+### CPU
+
+The System `cpu` data stream provides CPU statistics.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "cpu"}}
+
+### Disk IO
+
+The System `diskio` data stream provides disk IO metrics collected from the
+operating system. One event is created for each disk mounted on the system.
+
+#### Supported operating systems
+
+- Linux
+- macOS (requires 10.10+)
+- Windows
+- FreeBSD (amd64)
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "diskio"}}
+
+### Filesystem
+
+The System `filesystem` data stream provides file system statistics. For each file
+system, one document is provided.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "filesystem"}}
+
+### Fsstat
+
+The System `fsstat` data stream provides overall file system statistics.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "fsstat"}}
+
+### Load
+
+The System `load` data stream provides load statistics.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "load"}}
+
+### Memory
+
+The System `memory` data stream provides memory statistics.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "memory"}}
+
+### Network
+
+The System `network` data stream provides network IO metrics collected from the
+operating system. One event is created for each network interface.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "network"}}
+
+### Process
+
+The System `process` data stream provides process statistics. One document is
+provided for each process.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- Windows
+
+#### Permissions
+
+Process execution data should be available for an authorized user.
+If running as less privileged user, it may not be able to read process data belonging to other users.
+
+{{fields "process"}}
+
+### Process summary
+
+The `process_summary` data stream collects high level statistics about the running
+processes.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- Windows
+
+#### Permissions
+
+General process summary data should be available without elevated permissions.
+If the process data belongs to the other users, it will be counted as unknown value.
+
+{{fields "process_summary"}}
+
+### Socket summary
+
+The System `socket_summary` data stream provides the summary of open network
+sockets in the host system.
+
+It collects a summary of metrics with the count of existing TCP and UDP
+connections and the count of listening ports.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "socket_summary"}}
+
+### Uptime
+
+The System `uptime` data stream provides the uptime of the host operating system.
+
+#### Supported operating systems
+
+- Linux
+- macOS
+- OpenBSD
+- FreeBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+{{fields "uptime"}}
diff --git a/test/packages/parallel/system/_dev/deploy/docker/docker-compose.yml b/test/packages/parallel/system/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 000000000..f7ba732f9
--- /dev/null
+++ b/test/packages/parallel/system/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,18 @@
+version: '2.3'
+services:
+ system:
+ image: alpine
+ volumes:
+ - ${SERVICE_LOGS_DIR}:/service_logs
+ security:
+ image: docker.elastic.co/observability/stream:v0.4.0
+ ports:
+ - 8080
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ command:
+ - log
+ - --start-signal=SIGHUP
+ - --addr=:8080
+ - -p=http-server
+ - /sample_logs/security.json.log
diff --git a/test/packages/parallel/system/_dev/deploy/docker/sample_logs/security.json.log b/test/packages/parallel/system/_dev/deploy/docker/sample_logs/security.json.log
new file mode 100644
index 000000000..88e56a76d
--- /dev/null
+++ b/test/packages/parallel/system/_dev/deploy/docker/sample_logs/security.json.log
@@ -0,0 +1 @@
+{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "11000410300x402000000000000014257SecurityWIN-41OB2LO92CR.wlbeat.local","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}}
\ No newline at end of file
diff --git a/test/packages/parallel/system/changelog.yml b/test/packages/parallel/system/changelog.yml
new file mode 100644
index 000000000..d6d69ce08
--- /dev/null
+++ b/test/packages/parallel/system/changelog.yml
@@ -0,0 +1,489 @@
+# newer versions go on top
+- version: "1.33.0"
+ changes:
+ - description: Add permissions to reroute events to logs-*-* for syslog datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6340
+- version: "1.32.0-beta.2"
+ changes:
+ - description: Enable TSDS for network data_streams
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6469
+- version: "1.32.0-beta.1"
+ changes:
+ - description: Add dimensions for the network data_stream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6405
+- version: "1.32.0-beta"
+ changes:
+ - description: Enable TSDS for metrics data_streams, except core, network and process data_streams for beta testing
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6427
+- version: "1.31.1"
+ changes:
+ - description: Add missing metric_type metadata
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6395
+- version: "1.31.0"
+ changes:
+ - description: Add dimension metadata to the process data_stream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6407
+- version: "1.30.0"
+ changes:
+ - description: Add dimension fields to metrics all data_streams, except core, network and process to support TSDS migration
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6118
+- version: "1.29.0"
+ changes:
+ - description: support ip or domain in sshd messages
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6256
+- version: "1.28.0"
+ changes:
+ - description: Add a new flag to enable request tracing
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6163
+- version: "1.27.1"
+ changes:
+ - description: Remove managed tag.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6098
+- version: "1.27.0"
+ changes:
+ - description: Convert TSVB visualisations to Lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5740
+- version: "1.26.0"
+ changes:
+ - description: Adds /var/log/system* to default syslog input for macOS
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/4157
+- version: "1.25.4"
+ changes:
+ - description: Fix visualization to reference Elastic Agent integrations, not Winlogbeat
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/5828
+- version: "1.26.0-next"
+ changes:
+ - description: Clean Windows dashboards.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5653
+- version: "1.25.3"
+ changes:
+ - description: Document 21 Event ID clause limit under certain situations.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5838
+- version: "1.25.2"
+ changes:
+ - description: Remove duplicate Windows dashboards.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/5525
+- version: "1.25.1"
+ changes:
+ - description: Added categories and/or subcategories.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5123
+- version: "1.25.0"
+ changes:
+ - description: Convert dashboard visualisations to storage by value.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5322
+- version: "1.24.3"
+ changes:
+ - description: Fix mapping for winlog.time_created by setting to date instead of keyword
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/5350
+- version: "1.24.2"
+ changes:
+ - description: Remove redundant regular expression quantifier.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/5320
+- version: "1.24.1"
+ changes:
+ - description: Added filters on dataset for system metrics dashboards
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5198
+- version: "1.24.0"
+ changes:
+ - description: Add basic dimension fields for cpu, load and memory
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1234
+- version: "1.23.1"
+ changes:
+ - description: Mark datasets as ga
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/5119
+- version: "1.23.0"
+ changes:
+ - description: Add mapping for Windows events 4797, 5379, 5380, 5381, and 5382.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5087
+- version: "1.22.0"
+ changes:
+ - description: Improve handling of user name and event outcome in auth dataset.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/4478
+- version: "1.21.0"
+ changes:
+ - description: Embed visualizations within dashboards (where possible) to make them self-contained and reduce Kibana saved object clutter.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5023
+- version: "1.20.4"
+ changes:
+ - description: Remove wrong visualization from dashboard
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/4472
+- version: "1.20.3"
+ changes:
+ - description: Allow adding multiple processors in syslog data stream
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/4437
+- version: "1.20.2"
+ changes:
+ - description: Remove incorrect tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/4248
+- version: "1.20.1"
+ changes:
+ - description: Fix adding processors in syslog data stream
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/4396
+- version: "1.20.0"
+ changes:
+ - description: Improve system overview and host overview dashboards
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3562
+- version: "1.19.5"
+ changes:
+ - description: Fix duplicated processor field in syslog
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/4180
+- version: "1.19.4"
+ changes:
+ - description: Add missing field mapping for `error.code` and `error.message`
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/4084
+- version: "1.19.3"
+ changes:
+ - description: Add test cases for events 4738 and 4742.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3944
+- version: "1.19.2"
+ changes:
+ - description: Add mapping for event.original for auth and security data streams.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/4012
+- version: "1.19.1"
+ changes:
+ - description: Fix handling of security events 4674, 4738 and 4742.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3930
+- version: "1.19.0"
+ changes:
+ - description: Add ignore_older to remaining logs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3691
+- version: "1.18.0"
+ changes:
+ - description: Separate grok parsing into stages and anchor the patterns in the system.auth pipeline.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3705
+ - description: Add processors, tags, and preserve original event options to the system.auth data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3705
+- version: "1.17.0"
+ changes:
+ - description: Add processor and tag fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3563
+- version: "1.16.2"
+ changes:
+ - description: Update documentation with additional context for new users.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3306
+- version: "1.16.1"
+ changes:
+ - description: Fix missing key in env whitelist
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3519
+- version: "1.16.0"
+ changes:
+ - description: Migrating from tile map to map in system log dashboard
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3509
+- version: "1.15.1"
+ changes:
+ - description: Fix ECS schema
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3424
+- version: "1.15.0"
+ changes:
+ - description: Enrich security data set with GeoIP data
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3375
+- version: "1.14.0"
+ changes:
+ - description: Add support for events 5140 and 5145 to the security pipeline.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3299
+- version: "1.13.0"
+ changes:
+ - description: Add parent process ID to security event for new process creation.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2966
+- version: "1.12.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.12.0"
+ changes:
+ - description: Add system/process pipeline to rename process.ppid to process.parent.pid as per ECS 8.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2610
+- version: "1.11.0"
+ changes:
+ - description: Add option to configure ignored filesystem types
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2679
+- version: "1.10.0"
+ changes:
+ - description: Expose winlog input ignore_older option.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2542
+ - description: Fix preserve original event option
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2542
+ - description: Make order of Security, Application, System options consistent with other winlog based integrations.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2542
+- version: "1.9.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2512
+- version: "1.8.0"
+ changes:
+ - description: Add routing pipeline to security data_stream, limit to specific providers.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2523
+- version: "1.7.0"
+ changes:
+ - description: Expose winlog input language option.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2344
+- version: "1.6.6"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.6.5"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.6.4"
+ changes:
+ - description: More consistent use of Proc Filesystem Directory settings
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2201
+ - description: Support Kibana 8
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2201
+- version: "1.6.3"
+ changes:
+ - description: Fix AccessList and AccessMask processing in security data_stream
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2156
+- version: "1.6.2"
+ changes:
+ - description: Fix missing null check in security pipeline
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2148
+- version: "1.6.1"
+ changes:
+ - description: Uniform with guidelines
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2082
+- version: "1.6.0"
+ changes:
+ - description: Consistently map message field in Windows integrations.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2008
+- version: "1.5.0"
+ changes:
+ - description: Better user mappings for security events
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1944
+- version: "1.4.2"
+ changes:
+ - description: Prevent pipeline script error
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1869
+- version: "1.4.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1855
+- version: "1.4.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1709
+- version: "1.3.0"
+ changes:
+ - description: Add custom processors and event_id to Application, Security & System data_streams
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1548
+- version: "1.2.1"
+ changes:
+ - description: Convert to generated ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1508
+- version: "1.2.0"
+ changes:
+ - description: Update fields to include new cgroups fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1539
+- version: "1.1.5"
+ changes:
+ - description: Fix Windows links
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1525
+- version: "1.1.4"
+ changes:
+ - description: Fix issue with normalized CPU gauge
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1458
+- version: "1.1.3"
+ changes:
+ - description: update to ECS 1.11.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1429
+- version: "1.1.2"
+ changes:
+ - description: Mark integration as GA
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1435
+- version: "1.1.1"
+ changes:
+ - description: Escape special characters in docs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1405
+- version: "1.1.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "1.0.1"
+ changes:
+ - description: Move visualizations to cpu.norm.pct
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1358
+- version: "1.0.0"
+ changes:
+ - description: GA the system module
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1282
+- version: "0.13.6"
+ changes:
+ - description: Use event.dataset and event.module
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1211
+- version: "0.13.5"
+ changes:
+ - description: Add support for Splunk authorization tokens
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1147
+- version: "0.13.4"
+ changes:
+ - description: Use `wildcard` type for relevant ECS fields in `security` stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1185
+- version: "0.13.3"
+ changes:
+ - description: Fix unneeded unit and metric type for field groups
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1114
+- version: "0.13.2"
+ changes:
+ - description: Fix security pipeline to support string event.code.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1089
+- version: "0.13.1"
+ changes:
+ - description: Add system tests for security data_stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1069
+- version: "0.13.0"
+ changes:
+ - description: Render units and metric types in exported fields table
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1028
+- version: "0.12.7"
+ changes:
+ - description: Fix security pipeline to support string event.code for 7.13.
+ type: bugfix
+ link: https://github.com/elastic/package-storage/pull/1372
+- version: "0.12.6"
+ changes:
+ - description: Report system_summary properly.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/778
+- version: "0.12.5"
+ changes:
+ - description: Make event.original optional for application, security, and system data streams.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/990
+- version: "0.12.4"
+ changes:
+ - description: Fix inconsistent dashboard IDs
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/987
+- version: "0.12.3"
+ changes:
+ - description: Remove edge processing for httpjson input.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/969
+- version: "0.12.2"
+ changes:
+ - description: Add event.code mappings
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/932
+- version: "0.12.1"
+ changes:
+ - description: Convert Security processing to Ingest Node
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/917
+ - description: Change Splunk input to use the decode_xml_wineventlog processor.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/924
+- version: "0.12.0"
+ changes:
+ - description: Add Splunk input for application, system, and security data streams.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/890
+- version: "0.11.3"
+ changes:
+ - description: Updating package owner
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/766
+ - description: update to ECS 1.9.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/874
+- version: "0.11.2"
+ changes:
+ - description: Update security data stream
+ type: bugfix # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/728
+- version: "0.11.1" # unreleased
+ changes:
+ - description: remove duplicate ingest pipeline for syslog data stream
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/725
+- version: "0.0.3"
+ changes:
+ - description: initial release
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/8
diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log
new file mode 100644
index 000000000..1c5c96b3c
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log
@@ -0,0 +1,11 @@
+Feb 21 21:54:44 localhost sshd[3402]: Accepted publickey for vagrant from 10.0.2.2 port 63673 ssh2: RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84
+Feb 23 00:13:35 localhost sshd[7483]: Accepted password for vagrant from 192.168.33.1 port 58803 ssh2
+Feb 21 21:56:12 localhost sshd[3430]: Invalid user test from 10.0.2.2
+Feb 20 08:35:22 slave22 sshd[5774]: Failed password for root from 89.160.20.156 port 29160 ssh2
+Feb 21 23:35:33 localhost sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls
+Feb 19 15:30:04 slave22 sshd[18406]: Did not receive identification string from 89.160.20.156
+Feb 23 00:08:48 localhost sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/secure
+Feb 24 00:13:02 precise32 sudo: tsg : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls
+Feb 22 11:47:05 localhost groupadd[6991]: new group: name=apache, GID=48
+Feb 22 11:47:05 localhost useradd[6995]: new user: name=apache, UID=48, GID=48, home=/usr/share/httpd, shell=/sbin/nologin
+Feb 22 12:53:50 localhost-machine sshd[10161]: error: PAM: User not known to the underlying authentication module for illegal user test from test.example.com
diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-config.yml
new file mode 100644
index 000000000..98cc18212
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-config.yml
@@ -0,0 +1,5 @@
+fields:
+ event.timezone: "+0000"
+dynamic_fields:
+ event.ingested: "^.*$"
+ "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}Z$"
diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json
new file mode 100644
index 000000000..29efbed6f
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json
@@ -0,0 +1,532 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-02-21T21:54:44.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "ssh_login",
+ "category": [
+ "authentication",
+ "session"
+ ],
+ "kind": "event",
+ "outcome": "success",
+ "timezone": "+0000",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "process": {
+ "name": "sshd",
+ "pid": 3402
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "ip": [
+ "10.0.2.2"
+ ],
+ "user": [
+ "vagrant"
+ ]
+ },
+ "source": {
+ "address": "10.0.2.2",
+ "ip": "10.0.2.2",
+ "port": 63673
+ },
+ "system": {
+ "auth": {
+ "ssh": {
+ "event": "Accepted",
+ "method": "publickey",
+ "signature": "RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84"
+ }
+ }
+ },
+ "user": {
+ "name": "vagrant"
+ }
+ },
+ {
+ "@timestamp": "2023-02-23T00:13:35.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "ssh_login",
+ "category": [
+ "authentication",
+ "session"
+ ],
+ "kind": "event",
+ "outcome": "success",
+ "timezone": "+0000",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "process": {
+ "name": "sshd",
+ "pid": 7483
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "ip": [
+ "192.168.33.1"
+ ],
+ "user": [
+ "vagrant"
+ ]
+ },
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1",
+ "port": 58803
+ },
+ "system": {
+ "auth": {
+ "ssh": {
+ "event": "Accepted",
+ "method": "password"
+ }
+ }
+ },
+ "user": {
+ "name": "vagrant"
+ }
+ },
+ {
+ "@timestamp": "2023-02-21T21:56:12.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "ssh_login",
+ "category": [
+ "authentication"
+ ],
+ "kind": "event",
+ "outcome": "failure",
+ "timezone": "+0000",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "process": {
+ "name": "sshd",
+ "pid": 3430
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "ip": [
+ "10.0.2.2"
+ ],
+ "user": [
+ "test"
+ ]
+ },
+ "source": {
+ "address": "10.0.2.2",
+ "ip": "10.0.2.2"
+ },
+ "system": {
+ "auth": {
+ "ssh": {
+ "event": "Invalid"
+ }
+ }
+ },
+ "user": {
+ "name": "test"
+ }
+ },
+ {
+ "@timestamp": "2023-02-20T08:35:22.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "ssh_login",
+ "category": [
+ "authentication"
+ ],
+ "kind": "event",
+ "outcome": "failure",
+ "timezone": "+0000",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "hostname": "slave22"
+ },
+ "process": {
+ "name": "sshd",
+ "pid": 5774
+ },
+ "related": {
+ "hosts": [
+ "slave22"
+ ],
+ "ip": [
+ "89.160.20.156"
+ ],
+ "user": [
+ "root"
+ ]
+ },
+ "source": {
+ "address": "89.160.20.156",
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.156",
+ "port": 29160
+ },
+ "system": {
+ "auth": {
+ "ssh": {
+ "event": "Failed",
+ "method": "password"
+ }
+ }
+ },
+ "user": {
+ "name": "root"
+ }
+ },
+ {
+ "@timestamp": "2023-02-21T23:35:33.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "+0000"
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "process": {
+ "name": "sudo"
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "user": [
+ "vagrant",
+ "root"
+ ]
+ },
+ "system": {
+ "auth": {
+ "sudo": {
+ "command": "/bin/ls",
+ "pwd": "/home/vagrant",
+ "tty": "pts/0",
+ "user": "root"
+ }
+ }
+ },
+ "user": {
+ "effective": {
+ "name": "root"
+ },
+ "name": "vagrant"
+ }
+ },
+ {
+ "@timestamp": "2023-02-19T15:30:04.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "+0000"
+ },
+ "host": {
+ "hostname": "slave22"
+ },
+ "process": {
+ "name": "sshd",
+ "pid": 18406
+ },
+ "related": {
+ "hosts": [
+ "slave22"
+ ],
+ "ip": [
+ "89.160.20.156"
+ ]
+ },
+ "source": {
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.156"
+ },
+ "system": {
+ "auth": {
+ "ssh": {
+ "dropped_ip": "89.160.20.156"
+ }
+ }
+ }
+ },
+ {
+ "@timestamp": "2023-02-23T00:08:48.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "+0000"
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "process": {
+ "name": "sudo"
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "user": [
+ "vagrant",
+ "root"
+ ]
+ },
+ "system": {
+ "auth": {
+ "sudo": {
+ "command": "/bin/cat /var/log/secure",
+ "pwd": "/home/vagrant",
+ "tty": "pts/1",
+ "user": "root"
+ }
+ }
+ },
+ "user": {
+ "effective": {
+ "name": "root"
+ },
+ "name": "vagrant"
+ }
+ },
+ {
+ "@timestamp": "2023-02-24T00:13:02.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "+0000"
+ },
+ "host": {
+ "hostname": "precise32"
+ },
+ "process": {
+ "name": "sudo"
+ },
+ "related": {
+ "hosts": [
+ "precise32"
+ ],
+ "user": [
+ "tsg",
+ "root"
+ ]
+ },
+ "system": {
+ "auth": {
+ "sudo": {
+ "command": "/bin/ls",
+ "error": "user NOT in sudoers",
+ "pwd": "/home/vagrant",
+ "tty": "pts/1",
+ "user": "root"
+ }
+ }
+ },
+ "user": {
+ "effective": {
+ "name": "root"
+ },
+ "name": "tsg"
+ }
+ },
+ {
+ "@timestamp": "2023-02-22T11:47:05.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "category": [
+ "iam"
+ ],
+ "kind": "event",
+ "outcome": "success",
+ "timezone": "+0000",
+ "type": [
+ "group",
+ "creation"
+ ]
+ },
+ "group": {
+ "id": "48",
+ "name": "apache"
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "process": {
+ "name": "groupadd",
+ "pid": 6991
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ]
+ },
+ "system": {
+ "auth": {}
+ }
+ },
+ {
+ "@timestamp": "2023-02-22T11:47:05.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "category": [
+ "iam"
+ ],
+ "kind": "event",
+ "outcome": "success",
+ "timezone": "+0000",
+ "type": [
+ "user",
+ "creation"
+ ]
+ },
+ "group": {
+ "id": "48"
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "process": {
+ "name": "useradd",
+ "pid": 6995
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "user": [
+ "apache"
+ ]
+ },
+ "system": {
+ "auth": {
+ "useradd": {
+ "home": "/usr/share/httpd",
+ "shell": "/sbin/nologin"
+ }
+ }
+ },
+ "user": {
+ "id": "48",
+ "name": "apache"
+ }
+ },
+ {
+ "@timestamp": "2023-02-22T12:53:50.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "+0000"
+ },
+ "host": {
+ "hostname": "localhost-machine"
+ },
+ "process": {
+ "name": "sshd",
+ "pid": 10161
+ },
+ "related": {
+ "hosts": [
+ "localhost-machine"
+ ],
+ "user": [
+ "test"
+ ]
+ },
+ "source": {
+ "address": "test.example.com",
+ "domain": "test.example.com"
+ },
+ "system": {
+ "auth": {
+ "ssh": {
+ "event": "error: PAM: User not known to the underlying authentication module for illegal"
+ }
+ }
+ },
+ "user": {
+ "name": "test"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log
new file mode 100644
index 000000000..f1ab57f9e
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log
@@ -0,0 +1,2 @@
+2019-06-14T10:40:20.912134 localhost sudo: pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)
+2019-06-14T13:01:15.412+01:30 localhost pam: user nobody logged out.
diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-config.yml b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-config.yml
new file mode 100644
index 000000000..20ac5d8e3
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-config.yml
@@ -0,0 +1,4 @@
+fields:
+ event.timezone: "+0000"
+dynamic_fields:
+ event.ingested: ".*"
diff --git a/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json
new file mode 100644
index 000000000..c330599fb
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json
@@ -0,0 +1,65 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-06-14T10:40:20.912Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "+0000"
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)",
+ "process": {
+ "name": "sudo"
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "user": [
+ "userauth3",
+ "root"
+ ]
+ },
+ "system": {
+ "auth": {}
+ },
+ "user": {
+ "effective": {
+ "name": "root"
+ },
+ "id": "0",
+ "name": "userauth3"
+ }
+ },
+ {
+ "@timestamp": "2019-06-14T11:31:15.412Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "+0000"
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "message": "user nobody logged out.",
+ "process": {
+ "name": "pam"
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ]
+ },
+ "system": {
+ "auth": {}
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/auth/agent/stream/log.yml.hbs b/test/packages/parallel/system/data_stream/auth/agent/stream/log.yml.hbs
new file mode 100644
index 000000000..184333c45
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/agent/stream/log.yml.hbs
@@ -0,0 +1,30 @@
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+
+multiline:
+ pattern: "^\\s"
+ match: after
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 000000000..35a7e44fb
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,237 @@
+---
+description: Pipeline for parsing system authorization and secure logs.
+processors:
+ - rename:
+ if: ctx.event?.original == null
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - grok:
+ description: Grok the message header.
+ tag: grok-message-header
+ field: event.original
+ pattern_definitions:
+ GREEDYMULTILINE: '(.|\n)*'
+ TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})
+ patterns:
+ - '^%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:%{SPACE}%{GREEDYMULTILINE:_temp.message}$'
+ - grok:
+ description: Grok specific auth messages.
+ tag: grok-specific-messages
+ field: _temp.message
+ ignore_missing: true
+ patterns:
+ - '^%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user)?%{DATA:user.name} from %{IPORHOST:source.address} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?'
+ - '^%{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.address}'
+ - '^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}'
+ - '^%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}'
+ - '^new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}'
+ - '^new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$'
+ on_failure:
+ - rename:
+ description: Leave the unmatched content in message.
+ field: _temp.message
+ target_field: message
+ - remove:
+ field: _temp
+ - grok:
+ description: Grok usernames from PAM messages.
+ tag: grok-pam-users
+ field: message
+ ignore_missing: true
+ ignore_failure: true
+ patterns:
+ - 'for user %{QUOTE}?%{DATA:_temp.foruser}%{QUOTE}? by %{QUOTE}?%{DATA:_temp.byuser}%{QUOTE}?(?:\(uid=%{NUMBER:_temp.byuid}\))?$'
+ - 'for user %{QUOTE}?%{DATA:_temp.foruser}%{QUOTE}?$'
+ - 'by user %{QUOTE}?%{DATA:_temp.byuser}%{QUOTE}?$'
+ - '%{BOUNDARY} user %{QUOTE}%{DATA:_temp.user}%{QUOTE}'
+ pattern_definitions:
+ QUOTE: "['\"]"
+ BOUNDARY: "(?-
+ if (ctx.system.auth.ssh.event == "Accepted") {
+ ctx.event.type = ["info"];
+ ctx.event.category = ["authentication", "session"];
+ ctx.event.action = "ssh_login";
+ ctx.event.outcome = "success";
+ } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") {
+ ctx.event.type = ["info"];
+ ctx.event.category = ["authentication"];
+ ctx.event.action = "ssh_login";
+ ctx.event.outcome = "failure";
+ }
+ - append:
+ field: event.category
+ value: iam
+ if: ctx.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)
+ - set:
+ field: event.outcome
+ value: success
+ if: ctx.process?.name != null && (ctx.message == null || !ctx.message.contains("fail")) && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)
+ - set:
+ field: event.outcome
+ value: failure
+ if: ctx.process?.name != null && (ctx.message != null && ctx.message.contains("fail")) && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)
+ - append:
+ field: event.type
+ value: user
+ if: ctx.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)
+ - append:
+ field: event.type
+ value: group
+ if: ctx.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)
+ - append:
+ field: event.type
+ value: creation
+ if: ctx.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)
+ - append:
+ field: event.type
+ value: deletion
+ if: ctx.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)
+ - append:
+ field: event.type
+ value: change
+ if: ctx.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)
+ - append:
+ field: related.user
+ value: "{{{ user.name }}}"
+ allow_duplicates: false
+ if: ctx.user?.name != null && ctx.user?.name != ''
+ - append:
+ field: related.user
+ value: "{{{ user.effective.name }}}"
+ allow_duplicates: false
+ if: ctx.user?.effective?.name != null && ctx.user?.effective?.name != ''
+ - append:
+ field: related.ip
+ value: "{{{ source.ip }}}"
+ allow_duplicates: false
+ if: ctx.source?.ip != null && ctx.source?.ip != ''
+ - append:
+ field: related.hosts
+ value: "{{{ host.hostname }}}"
+ allow_duplicates: false
+ if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+ - set:
+ field: ecs.version
+ value: 8.0.0
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/test/packages/parallel/system/data_stream/auth/fields/agent.yml b/test/packages/parallel/system/data_stream/auth/fields/agent.yml
new file mode 100644
index 000000000..da4e652c5
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/test/packages/parallel/system/data_stream/auth/fields/base-fields.yml b/test/packages/parallel/system/data_stream/auth/fields/base-fields.yml
new file mode 100644
index 000000000..516c401c7
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/fields/base-fields.yml
@@ -0,0 +1,21 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+ value: logs
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: system.auth
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: system
diff --git a/test/packages/parallel/system/data_stream/auth/fields/ecs.yml b/test/packages/parallel/system/data_stream/auth/fields/ecs.yml
new file mode 100644
index 000000000..9b336a4e3
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/fields/ecs.yml
@@ -0,0 +1,106 @@
+- external: ecs
+ name: '@timestamp'
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.action
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.code
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.ingested
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.module
+- external: ecs
+ name: event.original
+- external: ecs
+ name: event.outcome
+- external: ecs
+ name: event.provider
+- external: ecs
+ name: event.sequence
+- external: ecs
+ name: event.type
+- external: ecs
+ name: group.id
+- external: ecs
+ name: group.name
+- external: ecs
+ name: host.architecture
+- external: ecs
+ name: host.domain
+- external: ecs
+ name: host.hostname
+- external: ecs
+ name: host.hostname
+- external: ecs
+ name: host.id
+- external: ecs
+ name: host.ip
+- external: ecs
+ name: host.mac
+- external: ecs
+ name: host.name
+- external: ecs
+ name: host.os.family
+- external: ecs
+ name: host.os.full
+- external: ecs
+ name: host.os.kernel
+- external: ecs
+ name: host.os.name
+- external: ecs
+ name: host.os.platform
+- external: ecs
+ name: message
+- external: ecs
+ name: process.name
+- external: ecs
+ name: process.pid
+- external: ecs
+ name: related.hosts
+- external: ecs
+ name: related.ip
+- external: ecs
+ name: related.user
+- external: ecs
+ name: source.address
+- external: ecs
+ name: source.as.number
+- external: ecs
+ name: source.as.organization.name
+- external: ecs
+ name: source.domain
+- external: ecs
+ name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_name
+- external: ecs
+ name: source.geo.country_iso_code
+- external: ecs
+ name: source.geo.country_name
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- external: ecs
+ name: source.geo.region_iso_code
+- external: ecs
+ name: source.geo.region_name
+- external: ecs
+ name: source.ip
+- external: ecs
+ name: source.port
+- external: ecs
+ name: user.effective.name
+- external: ecs
+ name: user.id
+- external: ecs
+ name: user.name
diff --git a/test/packages/parallel/system/data_stream/auth/fields/fields.yml b/test/packages/parallel/system/data_stream/auth/fields/fields.yml
new file mode 100644
index 000000000..827255de6
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/fields/fields.yml
@@ -0,0 +1,62 @@
+- name: system.auth
+ type: group
+ fields:
+ - name: ssh
+ type: group
+ fields:
+ - name: method
+ type: keyword
+ description: |
+ The SSH authentication method. Can be one of "password" or "publickey".
+ - name: signature
+ type: keyword
+ description: |
+ The signature of the client public key.
+ - name: dropped_ip
+ type: ip
+ description: |
+ The client IP from SSH connections that are open and immediately dropped.
+ - name: event
+ type: keyword
+ description: |
+ The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
+ - name: geoip
+ type: group
+ - name: sudo
+ type: group
+ fields:
+ - name: error
+ type: keyword
+ description: |
+ The error message in case the sudo command failed.
+ - name: tty
+ type: keyword
+ description: |
+ The TTY where the sudo command is executed.
+ - name: pwd
+ type: keyword
+ description: |
+ The current directory where the sudo command is executed.
+ - name: user
+ type: keyword
+ description: |
+ The target user to which the sudo command is switching.
+ - name: command
+ type: keyword
+ description: |
+ The command executed via sudo.
+ - name: useradd
+ type: group
+ fields:
+ - name: home
+ type: keyword
+ description: The home folder for the new user.
+ - name: shell
+ type: keyword
+ description: The default shell for the new user.
+ - name: groupadd
+ type: group
+- description: "Operating system version as a raw string."
+ ignore_above: 1024
+ name: version
+ type: keyword
diff --git a/test/packages/parallel/system/data_stream/auth/manifest.yml b/test/packages/parallel/system/data_stream/auth/manifest.yml
new file mode 100644
index 000000000..aef300842
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/auth/manifest.yml
@@ -0,0 +1,50 @@
+title: System auth logs
+type: logs
+streams:
+ - input: logfile
+ vars:
+ - name: ignore_older
+ type: text
+ title: Ignore events older than
+ default: 72h
+ required: false
+ show_user: false
+ description: >-
+ If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ default:
+ - /var/log/auth.log*
+ - /var/log/secure*
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: false
+ show_user: false
+ default:
+ - system-auth
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: log.yml.hbs
+ title: System auth logs (log)
+ description: Collect System auth logs using log input
diff --git a/test/packages/parallel/system/data_stream/process/_dev/test/system/test-default-config.yml b/test/packages/parallel/system/data_stream/process/_dev/test/system/test-default-config.yml
new file mode 100644
index 000000000..0bb8ceb94
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/process/_dev/test/system/test-default-config.yml
@@ -0,0 +1,3 @@
+vars: ~
+data_stream:
+ vars: ~
diff --git a/test/packages/parallel/system/data_stream/process/agent/stream/stream.yml.hbs b/test/packages/parallel/system/data_stream/process/agent/stream/stream.yml.hbs
new file mode 100644
index 000000000..5526c1fd7
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/process/agent/stream/stream.yml.hbs
@@ -0,0 +1,30 @@
+metricsets: ["process"]
+period: {{period}}
+process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}}
+process.include_top_n.by_memory: {{process.include_top_n.by_memory}}
+process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}}
+process.cgroups.enabled: {{process.cgroups.enabled}}
+process.include_cpu_ticks: {{process.include_cpu_ticks}}
+{{#if process.env.whitelist}}
+process.env.whitelist:
+{{#each process.env.whitelist}}
+- {{this}}
+{{/each}}
+{{/if}}
+processes:
+{{#each processes}}
+- {{this}}
+{{/each}}
+{{#if system.hostfs}}
+system.hostfs: {{system.hostfs}}
+{{/if}}
+{{#if processors.length}}
+processors:
+{{processors}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag i|}}
+- {{tag}}
+{{/each}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/process/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/process/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 000000000..501414e2e
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/process/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,8 @@
+---
+description: Pipeline for system.process events.
+processors:
+ - rename:
+ description: Rename process.ppid from Agent 7.x to process.parent.pid.
+ field: process.ppid
+ target_field: process.parent.pid
+ ignore_failure: true
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/process/fields/agent.yml b/test/packages/parallel/system/data_stream/process/fields/agent.yml
new file mode 100644
index 000000000..fd07b33f0
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/process/fields/agent.yml
@@ -0,0 +1,161 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ dimension: true
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ dimension: true
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ dimension: true
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ dimension: true
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ dimension: true
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ dimension: true
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: process
+ title: Process
+ group: 2
+ description: Process metrics.
+ type: group
+ fields:
+ - name: state
+ type: keyword
+ description: >
+ The process state. For example: "running".
+
+ - name: cpu.pct
+ type: scaled_float
+ format: percent
+ description: >
+ The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1.
+
+ - name: cpu.start_time
+ type: date
+ description: >
+ The time when the process was started.
+
+ - name: memory.pct
+ type: scaled_float
+ format: percent
+ description: >
+ The percentage of memory the process occupied in main memory (RAM).
+
diff --git a/test/packages/parallel/system/data_stream/process/fields/base-fields.yml b/test/packages/parallel/system/data_stream/process/fields/base-fields.yml
new file mode 100644
index 000000000..1f99673b3
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/process/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: system
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: system.process
diff --git a/test/packages/parallel/system/data_stream/process/fields/ecs.yml b/test/packages/parallel/system/data_stream/process/fields/ecs.yml
new file mode 100644
index 000000000..20d1d8bde
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/process/fields/ecs.yml
@@ -0,0 +1,57 @@
+- external: ecs
+ name: process
+- external: ecs
+ name: process.name
+- external: ecs
+ name: process.pgid
+- external: ecs
+ name: process.pid
+ dimension: true
+- external: ecs
+ name: process.parent.pid
+- external: ecs
+ name: process.working_directory
+- external: ecs
+ name: user
+- external: ecs
+ name: user.name
+- external: ecs
+ name: host
+- external: ecs
+ name: host.architecture
+- external: ecs
+ name: host.ip
+- external: ecs
+ name: host.mac
+- external: ecs
+ name: host.name
+ dimension: true
+- external: ecs
+ name: host.hostname
+- external: ecs
+ name: host.os.family
+- external: ecs
+ name: host.os.full
+- external: ecs
+ name: host.os.kernel
+- external: ecs
+ name: host.os.name
+- external: ecs
+ name: host.os.platform
+- external: ecs
+ name: host.os.version
+- external: ecs
+ name: host.type
+- name: ecs.version
+ external: ecs
+- name: process.args
+ external: ecs
+- name: process.command_line
+ external: ecs
+- name: process.executable
+ external: ecs
+- name: service.type
+ external: ecs
+- external: ecs
+ name: agent.id
+ dimension: true
diff --git a/test/packages/parallel/system/data_stream/process/fields/fields.yml b/test/packages/parallel/system/data_stream/process/fields/fields.yml
new file mode 100644
index 000000000..f211c8ff9
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/process/fields/fields.yml
@@ -0,0 +1,658 @@
+- name: system.process
+ type: group
+ fields:
+ - name: state
+ type: keyword
+ description: |
+ The process state. For example: "running".
+ - name: cmdline
+ type: keyword
+ description: |
+ The full command-line used to start the process, including the arguments separated by space.
+ ignore_above: 2048
+ - name: env
+ type: object
+ description: |
+ The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X.
+ - name: cpu
+ type: group
+ fields:
+ - name: user.ticks
+ type: long
+ metric_type: counter
+ description: |
+ The amount of CPU time the process spent in user space.
+ - name: total.value
+ type: long
+ metric_type: counter
+ description: |
+ The value of CPU usage since starting the process.
+ - name: total.pct
+ type: scaled_float
+ format: percent
+ unit: percent
+ metric_type: gauge
+ description: |
+ The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.
+ - name: total.norm.pct
+ type: scaled_float
+ format: percent
+ unit: percent
+ metric_type: gauge
+ description: |
+ The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.
+ - name: system.ticks
+ type: long
+ metric_type: counter
+ description: |
+ The amount of CPU time the process spent in kernel space.
+ - name: total.ticks
+ type: long
+ metric_type: counter
+ description: |
+ The total CPU time spent by the process.
+ - name: start_time
+ type: date
+ description: |
+ The time when the process was started.
+ - name: memory
+ type: group
+ fields:
+ - name: size
+ type: long
+ format: bytes
+ unit: byte
+ metric_type: gauge
+ description: |
+ The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process.
+ - name: rss.bytes
+ type: long
+ format: bytes
+ unit: byte
+ metric_type: gauge
+ description: |
+ The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes.
+ - name: rss.pct
+ type: scaled_float
+ format: percent
+ unit: percent
+ metric_type: gauge
+ description: |
+ The percentage of memory the process occupied in main memory (RAM).
+ - name: share
+ type: long
+ format: bytes
+ unit: byte
+ metric_type: gauge
+ description: |
+ The shared memory the process uses.
+ - name: fd
+ type: group
+ fields:
+ - name: open
+ type: long
+ metric_type: gauge
+ description: The number of file descriptors open by the process.
+ - name: limit.soft
+ type: long
+ metric_type: gauge
+ description: |
+ The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.
+ - name: limit.hard
+ type: long
+ metric_type: gauge
+ description: |
+ The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.
+ - name: cgroup
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: >
+ The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent.
+
+ - name: path
+ type: keyword
+ description: >
+ The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent.
+
+ - name: cgroups_version
+ type: long
+ description: The version of cgroups reported for the process
+ - name: cpu
+ type: group
+ description: >
+ The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period. In CPU under cgroups V2, the cgroup is merged with many of the metrics from cpuacct. In addition, per-scheduler metrics are gone in V2.
+
+ fields:
+ - name: id
+ type: keyword
+ description: ID of the cgroup.
+ - name: path
+ type: keyword
+ description: >
+ Path to the cgroup relative to the cgroup subsystem's mountpoint.
+
+ - name: stats
+ type: group
+ description: cgroupv2 stats
+ fields:
+ - name: usage.ns
+ type: long
+ description: cgroups v2 usage in nanoseconds
+ - name: usage.pct
+ type: float
+ description: cgroups v2 usage
+ - name: usage.norm.pct
+ type: float
+ description: cgroups v2 normalized usage
+ - name: user.ns
+ type: long
+ description: cgroups v2 cpu user time in nanoseconds
+ - name: user.pct
+ type: float
+ description: cgroups v2 cpu user time
+ - name: user.norm.pct
+ type: float
+ description: cgroups v2 normalized cpu user time
+ - name: system.ns
+ type: long
+ description: cgroups v2 system time in nanoseconds
+ - name: system.pct
+ type: float
+ description: cgroups v2 system time
+ - name: system.norm.pct
+ type: float
+ description: cgroups v2 normalized system time
+ - name: cfs.period.us
+ type: long
+ description: >
+ Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated.
+
+ - name: cfs.quota.us
+ type: long
+ description: >
+ Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).
+
+ - name: cfs.shares
+ type: long
+ description: >
+ An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.
+
+ - name: rt.period.us
+ type: long
+ description: >
+ Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated.
+
+ - name: rt.runtime.us
+ type: long
+ description: >
+ Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.
+
+ - name: stats.periods
+ type: long
+ description: >
+ Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.
+
+ - name: stats.throttled.periods
+ type: long
+ description: >
+ Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).
+
+ - name: stats.throttled.us
+ type: long
+ description: >
+ The total time duration (in microseconds) for which tasks in a cgroup have been throttled, as reported by cgroupsv2
+
+ - name: stats.throttled.ns
+ type: long
+ description: >
+ The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.
+
+ - name: pressure
+ type: group
+ description: Pressure (resource contention) stats.
+ fields:
+ - name: some
+ type: group
+ description: Share of time in which at least some tasks are stalled on a given resource
+ fields:
+ - name: 10.pct
+ type: float
+ format: percent
+ description: Pressure over 10 seconds
+ - name: 60.pct
+ type: float
+ format: percent
+ description: Pressure over 60 seconds
+ - name: 300.pct
+ type: float
+ format: percent
+ description: Pressure over 300 seconds
+ - name: total
+ type: long
+ format: percent
+ description: total Some pressure time
+ - name: full
+ type: group
+ description: Share of time in which all non-idle tasks are stalled on a given resource simultaneously
+ fields:
+ - name: 10.pct
+ type: float
+ format: percent
+ description: Pressure over 10 seconds
+ - name: 60.pct
+ type: float
+ format: percent
+ description: Pressure over 60 seconds
+ - name: 300.pct
+ type: float
+ format: percent
+ description: Pressure over 300 seconds
+ - name: total
+ type: long
+ description: total Full pressure time
+ - name: cpuacct
+ type: group
+ description: CPU accounting metrics.
+ fields:
+ - name: id
+ type: keyword
+ description: ID of the cgroup.
+ - name: path
+ type: keyword
+ description: >
+ Path to the cgroup relative to the cgroup subsystem's mountpoint.
+
+ - name: total.ns
+ type: long
+ description: >
+ Total CPU time in nanoseconds consumed by all tasks in the cgroup.
+
+ - name: total.pct
+ type: scaled_float
+ description: >
+ CPU time of the cgroup as a percentage of overall CPU time.
+
+ - name: total.norm.pct
+ type: scaled_float
+ description: >
+ CPU time of the cgroup as a percentage of overall CPU time, normalized by CPU count. This is functionally an average of time spent across individual CPUs.
+
+ - name: stats.user.ns
+ type: long
+ description: CPU time consumed by tasks in user mode.
+ - name: stats.user.pct
+ type: scaled_float
+ description: time the cgroup spent in user space, as a percentage of total CPU time
+ - name: stats.user.norm.pct
+ type: scaled_float
+ description: time the cgroup spent in user space, as a percentage of total CPU time, normalized by CPU count.
+ - name: stats.system.ns
+ type: long
+ description: CPU time consumed by tasks in user (kernel) mode.
+ - name: stats.system.pct
+ type: scaled_float
+ description: Time the cgroup spent in kernel space, as a percentage of total CPU time
+ - name: stats.system.norm.pct
+ type: scaled_float
+ description: Time the cgroup spent in kernel space, as a percentage of total CPU time, normalized by CPU count.
+ - name: percpu
+ type: object
+ object_type: long
+ description: >
+ CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.
+
+ - name: memory
+ type: group
+ description: Memory limits and metrics.
+ fields:
+ - name: id
+ type: keyword
+ description: ID of the cgroup.
+ - name: path
+ type: keyword
+ description: >
+ Path to the cgroup relative to the cgroup subsystem's mountpoint.
+
+ - name: mem.usage.bytes
+ type: long
+ format: bytes
+ description: >
+ Total memory usage by processes in the cgroup (in bytes).
+
+ - name: mem.usage.max.bytes
+ type: long
+ format: bytes
+ description: >
+ The maximum memory used by processes in the cgroup (in bytes).
+
+ - name: mem.limit.bytes
+ type: long
+ format: bytes
+ description: >
+ The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.
+
+ - name: mem.failures
+ type: long
+ description: >
+ The number of times that the memory limit (mem.limit.bytes) was reached.
+
+ - name: mem.low.bytes
+ type: long
+ format: bytes
+ description: memory low threshhold
+ - name: mem.high.bytes
+ type: long
+ format: bytes
+ description: memory high threshhold
+ - name: mem.max.bytes
+ type: long
+ format: bytes
+ description: memory max threshhold
+ - name: mem.events
+ type: group
+ description: number of times the controller tripped a given usage level
+ fields:
+ - name: low
+ type: long
+ description: low threshold
+ - name: high
+ type: long
+ description: high threshold
+ - name: max
+ type: long
+ description: max threshold
+ - name: oom
+ type: long
+ description: oom threshold
+ - name: oom_kill
+ type: long
+ description: oom killer threshold
+ - name: fail
+ type: long
+ description: failed threshold
+ - name: memsw.usage.bytes
+ type: long
+ format: bytes
+ description: >
+ The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).
+
+ - name: memsw.usage.max.bytes
+ type: long
+ format: bytes
+ description: >
+ The maximum amount of memory and swap space used by processes in the cgroup (in bytes).
+
+ - name: memsw.limit.bytes
+ type: long
+ format: bytes
+ description: >
+ The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.
+
+ - name: memsw.low.bytes
+ type: long
+ format: bytes
+ description: memory low threshhold
+ - name: memsw.high.bytes
+ type: long
+ format: bytes
+ description: memory high threshhold
+ - name: memsw.max.bytes
+ type: long
+ format: bytes
+ description: memory max threshhold
+ - name: memsw.failures
+ type: long
+ description: >
+ The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.
+
+ - name: memsw.events
+ type: group
+ description: number of times the controller tripped a given usage level
+ fields:
+ - name: low
+ type: long
+ description: low threshold
+ - name: high
+ type: long
+ description: high threshold
+ - name: max
+ type: long
+ description: max threshold
+ - name: oom
+ type: long
+ description: oom threshold
+ - name: oom_kill
+ type: long
+ description: oom killer threshold
+ - name: fail
+ type: long
+ description: failed threshold
+ - name: kmem.usage.bytes
+ type: long
+ format: bytes
+ description: >
+ Total kernel memory usage by processes in the cgroup (in bytes).
+
+ - name: kmem.usage.max.bytes
+ type: long
+ format: bytes
+ description: >
+ The maximum kernel memory used by processes in the cgroup (in bytes).
+
+ - name: kmem.limit.bytes
+ type: long
+ format: bytes
+ description: >
+ The maximum amount of kernel memory that tasks in the cgroup are allowed to use.
+
+ - name: kmem.failures
+ type: long
+ description: >
+ The number of times that the memory limit (kmem.limit.bytes) was reached.
+
+ - name: kmem_tcp.usage.bytes
+ type: long
+ format: bytes
+ description: >
+ Total memory usage for TCP buffers in bytes.
+
+ - name: kmem_tcp.usage.max.bytes
+ type: long
+ format: bytes
+ description: >
+ The maximum memory used for TCP buffers by processes in the cgroup (in bytes).
+
+ - name: kmem_tcp.limit.bytes
+ type: long
+ format: bytes
+ description: >
+ The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.
+
+ - name: kmem_tcp.failures
+ type: long
+ description: >
+ The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.
+
+ - name: stats.*
+ type: object
+ description: detailed memory IO stats
+ - name: stats.*.bytes
+ type: object
+ description: detailed memory IO stats
+ - name: stats.active_anon.bytes
+ type: long
+ format: bytes
+ description: >
+ Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.
+
+ - name: stats.active_file.bytes
+ type: long
+ format: bytes
+ description: File-backed memory on active LRU list, in bytes.
+ - name: stats.cache.bytes
+ type: long
+ format: bytes
+ description: Page cache, including tmpfs (shmem), in bytes.
+ - name: stats.hierarchical_memory_limit.bytes
+ type: long
+ format: bytes
+ description: >
+ Memory limit for the hierarchy that contains the memory cgroup, in bytes.
+
+ - name: stats.hierarchical_memsw_limit.bytes
+ type: long
+ format: bytes
+ description: >
+ Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.
+
+ - name: stats.inactive_anon.bytes
+ type: long
+ format: bytes
+ description: >
+ Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes
+
+ - name: stats.inactive_file.bytes
+ type: long
+ format: bytes
+ description: >
+ File-backed memory on inactive LRU list, in bytes.
+
+ - name: stats.mapped_file.bytes
+ type: long
+ format: bytes
+ description: >
+ Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.
+
+ - name: stats.page_faults
+ type: long
+ description: >
+ Number of times that a process in the cgroup triggered a page fault.
+
+ - name: stats.major_page_faults
+ type: long
+ description: >
+ Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk.
+
+ - name: stats.pages_in
+ type: long
+ description: >
+ Number of pages paged into memory. This is a counter.
+
+ - name: stats.pages_out
+ type: long
+ description: >
+ Number of pages paged out of memory. This is a counter.
+
+ - name: stats.rss.bytes
+ type: long
+ format: bytes
+ description: >
+ Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.
+
+ - name: stats.rss_huge.bytes
+ type: long
+ format: bytes
+ description: >
+ Number of bytes of anonymous transparent hugepages.
+
+ - name: stats.swap.bytes
+ type: long
+ format: bytes
+ description: >
+ Swap usage, in bytes.
+
+ - name: stats.unevictable.bytes
+ type: long
+ format: bytes
+ description: >
+ Memory that cannot be reclaimed, in bytes.
+
+ - name: blkio
+ type: group
+ description: Block IO metrics.
+ fields:
+ - name: id
+ type: keyword
+ description: ID of the cgroup.
+ - name: path
+ type: keyword
+ description: >
+ Path to the cgroup relative to the cgroup subsystems mountpoint.
+
+ - name: total.bytes
+ type: long
+ format: bytes
+ description: >
+ Total number of bytes transferred to and from all block devices by processes in the cgroup.
+
+ - name: total.ios
+ type: long
+ description: >
+ Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.
+
+ - name: io
+ type: group
+ description: cgroup V2 IO Metrics, replacing blkio.
+ fields:
+ - name: id
+ type: keyword
+ description: ID of the cgroup.
+ - name: path
+ type: keyword
+ description: >
+ Path to the cgroup relative to the cgroup subsystems mountpoint.
+
+ - name: stats.*
+ type: object
+ description: per-device IO usage stats
+ - name: stats.*.*
+ type: object
+ - name: stats.*.*.bytes
+ type: object
+ description: per-device IO usage stats
+ - name: stats.*.*.ios
+ type: object
+ description: per-device IO usage stats
+ - name: pressure
+ type: group
+ description: Pressure (resource contention) stats.
+ fields:
+ - name: full
+ type: group
+ description: Share of time in which at least some tasks are stalled on a given resource
+ fields:
+ - name: 10.pct
+ type: float
+ format: percent
+ description: Pressure over 10 seconds
+ - name: 60.pct
+ type: float
+ format: percent
+ description: Pressure over 60 seconds
+ - name: 300.pct
+ type: float
+ format: percent
+ description: Pressure over 300 seconds
+ - name: total
+ type: long
+ description: total Some pressure time
+ - name: some
+ type: group
+ description: Share of time in which all tasks are stalled on a given resource
+ fields:
+ - name: 10.pct
+ type: float
+ format: percent
+ description: Pressure over 10 seconds
+ - name: 60.pct
+ type: float
+ format: percent
+ description: Pressure over 60 seconds
+ - name: 300.pct
+ type: float
+ description: Pressure over 300 seconds
+ - name: total
+ type: long
+ description: total Some pressure time
diff --git a/test/packages/parallel/system/data_stream/process/manifest.yml b/test/packages/parallel/system/data_stream/process/manifest.yml
new file mode 100644
index 000000000..1e2f70b60
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/process/manifest.yml
@@ -0,0 +1,97 @@
+title: System process metrics
+type: metrics
+streams:
+ - input: system/metrics
+ vars:
+ - name: period
+ type: text
+ title: Period
+ multi: false
+ required: true
+ show_user: true
+ default: 10s
+ - name: process.include_top_n.by_cpu
+ type: integer
+ title: Process Include Top N By Cpu
+ multi: false
+ required: true
+ show_user: true
+ default: 5
+ description: >
+ Include the top N processes by CPU usage.
+
+ - name: process.include_top_n.by_memory
+ type: integer
+ title: Process Include Top N By Memory
+ multi: false
+ required: true
+ show_user: true
+ default: 5
+ description: >
+ Include the top N processes by memory usage.
+
+ - name: process.cmdline.cache.enabled
+ type: bool
+ title: Enable cmdline cache
+ multi: false
+ required: false
+ show_user: true
+ default: true
+ description: >
+ If false, cmdline of a process is not cached.
+
+ - name: process.cgroups.enabled
+ type: bool
+ title: Enable cgroup reporting
+ multi: false
+ required: false
+ show_user: true
+ default: false
+ description: >
+ Enable collection of cgroup metrics from processes on Linux.
+
+ - name: process.env.whitelist
+ type: text
+ title: Env whitelist
+ multi: true
+ required: false
+ show_user: true
+ description: >
+ A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty.
+
+ - name: process.include_cpu_ticks
+ type: bool
+ title: Include CPU Ticks
+ multi: false
+ required: false
+ show_user: true
+ default: false
+ description: >
+ Include the cumulative CPU tick values with the process metrics.
+
+ - name: processes
+ type: text
+ title: Processes
+ multi: true
+ required: true
+ show_user: true
+ description: >
+ A glob to match reported processes. By default all processes are reported.
+
+ default:
+ - .*
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ title: System process metrics
+ description: Collect System process metrics
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-common-config.yml b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 000000000..c39dc3861
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,2 @@
+dynamic_fields:
+ event.ingested: ".*"
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json
new file mode 100644
index 000000000..bb7f664ec
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json
@@ -0,0 +1,122 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:03:27.709Z",
+ "log": {
+ "level": "information",
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml"
+ }
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "computer_name": "WIN-41OB2LO92CR",
+ "time_created": "2019-09-06T13:28:46.163Z",
+ "outcome": "success",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 2815,
+ "process": {
+ "thread": {
+ "id": 820
+ },
+ "pid": 780
+ },
+ "event_id": 4722,
+ "opcode": "Info",
+ "event_data": {
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "TargetUserName": "audittest",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator"
+ },
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information"
+ },
+ "event": {
+ "kind": "event",
+ "code": 4722,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:03:27.709Z",
+ "event": {
+ "kind": "event",
+ "code": 4722,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "log": {
+ "level": "information",
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml"
+ }
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain"
+ },
+ "winlog": {
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "record_id": 2826,
+ "computer_name": "WIN-41OB2LO92CR",
+ "opcode": "Info",
+ "time_created": "2019-09-06T13:29:08.573Z",
+ "event_data": {
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "TargetUserName": "audittest0609",
+ "TargetDomainName": "WIN-41OB2LO92CR"
+ },
+ "channel": "Security",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "event_id": 4722,
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "level": "information"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json
new file mode 100644
index 000000000..4119c3b22
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json
@@ -0,0 +1,176 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:28:46.163Z",
+ "agent": {
+ "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "enabled-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4722",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "name": "audittest"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "TargetUserName": "audittest"
+ },
+ "event_id": "4722",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2815",
+ "time_created": "2019-09-06T13:28:46.163Z"
+ }
+ },
+ {
+ "@timestamp": "2019-09-06T13:29:08.573Z",
+ "agent": {
+ "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "enabled-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4722",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest0609"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "name": "audittest0609"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "TargetUserName": "audittest0609"
+ },
+ "event_id": "4722",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2826",
+ "time_created": "2019-09-06T13:29:08.573Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json
new file mode 100644
index 000000000..3fb6a55d8
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json
@@ -0,0 +1,124 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:06:23.720Z",
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain"
+ },
+ "winlog": {
+ "channel": "Security",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "computer_name": "WIN-41OB2LO92CR",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "outcome": "failure",
+ "event_data": {
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "PrivilegeList": "-",
+ "TargetUserName": "Administrator",
+ "TargetDomainName": "WIN-41OB2LO92CR"
+ },
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "event_id": 4723,
+ "opcode": "Info",
+ "level": "information",
+ "record_id": 2838,
+ "time_created": "2019-09-06T13:32:13.855Z"
+ },
+ "event": {
+ "code": 4723,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure",
+ "kind": "event"
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:06:23.721Z",
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862"
+ },
+ "winlog": {
+ "computer_name": "WIN-41OB2LO92CR",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "event_data": {
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "PrivilegeList": "-",
+ "TargetUserName": "Administrator"
+ },
+ "record_id": 2839,
+ "time_created": "2019-09-06T13:32:23.885Z",
+ "outcome": "success",
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "level": "information",
+ "channel": "Security",
+ "event_id": 4723
+ },
+ "event": {
+ "kind": "event",
+ "code": 4723,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml"
+ },
+ "level": "information"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json
new file mode 100644
index 000000000..44e7b1b5f
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json
@@ -0,0 +1,176 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:32:13.855Z",
+ "agent": {
+ "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "changed-password",
+ "category": [
+ "iam"
+ ],
+ "code": "4723",
+ "kind": "event",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "PrivilegeList": "-",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetUserName": "Administrator"
+ },
+ "event_id": "4723",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "failure",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2838",
+ "time_created": "2019-09-06T13:32:13.855Z"
+ }
+ },
+ {
+ "@timestamp": "2019-09-06T13:32:23.885Z",
+ "agent": {
+ "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "changed-password",
+ "category": [
+ "iam"
+ ],
+ "code": "4723",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "PrivilegeList": "-",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetUserName": "Administrator"
+ },
+ "event_id": "4723",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2839",
+ "time_created": "2019-09-06T13:32:23.885Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json
new file mode 100644
index 000000000..40b5ddd05
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json
@@ -0,0 +1,122 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:06:13.672Z",
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "version": "8.0.0",
+ "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "winlog": {
+ "channel": "Security",
+ "record_id": 2762,
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_id": 4724,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "outcome": "success",
+ "level": "information",
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 816
+ }
+ },
+ "opcode": "Info",
+ "time_created": "2019-09-06T13:24:39.339Z",
+ "event_data": {
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "TargetUserName": "elastictest1",
+ "TargetDomainName": "WIN-41OB2LO92CR"
+ }
+ },
+ "event": {
+ "kind": "event",
+ "code": 4724,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml"
+ },
+ "level": "information"
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:06:13.672Z",
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "winlog": {
+ "computer_name": "WIN-41OB2LO92CR",
+ "time_created": "2019-09-06T13:25:21.900Z",
+ "outcome": "success",
+ "event_data": {
+ "TargetUserName": "audittest0609",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2"
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "level": "information",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 2787,
+ "opcode": "Info",
+ "channel": "Security",
+ "event_id": 4724,
+ "keywords": [
+ "Audit Success"
+ ],
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}"
+ },
+ "event": {
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "kind": "event",
+ "code": 4724
+ },
+ "log": {
+ "level": "information",
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json
new file mode 100644
index 000000000..6c15e791d
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json
@@ -0,0 +1,176 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:24:39.339Z",
+ "agent": {
+ "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "reset-password",
+ "category": [
+ "iam"
+ ],
+ "code": "4724",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "elastictest1"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "name": "elastictest1"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "TargetUserName": "elastictest1"
+ },
+ "event_id": "4724",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 816
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2762",
+ "time_created": "2019-09-06T13:24:39.339Z"
+ }
+ },
+ {
+ "@timestamp": "2019-09-06T13:25:21.900Z",
+ "agent": {
+ "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "reset-password",
+ "category": [
+ "iam"
+ ],
+ "code": "4724",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest0609"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "name": "audittest0609"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "TargetUserName": "audittest0609"
+ },
+ "event_id": "4724",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2787",
+ "time_created": "2019-09-06T13:25:21.900Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json
new file mode 100644
index 000000000..c139186c7
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json
@@ -0,0 +1,122 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:09:54.157Z",
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain"
+ },
+ "winlog": {
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "outcome": "success",
+ "channel": "Security",
+ "event_id": 4725,
+ "level": "information",
+ "event_data": {
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "TargetUserName": "audittest"
+ },
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "process": {
+ "thread": {
+ "id": 532
+ },
+ "pid": 780
+ },
+ "computer_name": "WIN-41OB2LO92CR",
+ "time_created": "2019-09-06T13:28:40.001Z",
+ "record_id": 2810,
+ "opcode": "Info",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Success"
+ ]
+ },
+ "event": {
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "kind": "event",
+ "code": 4725
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:09:54.157Z",
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "version": "8.0.0",
+ "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat"
+ },
+ "winlog": {
+ "channel": "Security",
+ "record_id": 2820,
+ "outcome": "success",
+ "level": "information",
+ "event_data": {
+ "TargetUserName": "audittest0609",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2"
+ },
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "event_id": 4725,
+ "computer_name": "WIN-41OB2LO92CR",
+ "keywords": [
+ "Audit Success"
+ ],
+ "time_created": "2019-09-06T13:28:55.264Z",
+ "opcode": "Info",
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}"
+ },
+ "event": {
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "kind": "event",
+ "code": 4725
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml"
+ },
+ "level": "information"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json
new file mode 100644
index 000000000..093f0e6a9
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json
@@ -0,0 +1,176 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:28:40.001Z",
+ "agent": {
+ "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "disabled-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4725",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "deletion"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "name": "audittest"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "TargetUserName": "audittest"
+ },
+ "event_id": "4725",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2810",
+ "time_created": "2019-09-06T13:28:40.001Z"
+ }
+ },
+ {
+ "@timestamp": "2019-09-06T13:28:55.264Z",
+ "agent": {
+ "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "disabled-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4725",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "deletion"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest0609"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "name": "audittest0609"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "TargetUserName": "audittest0609"
+ },
+ "event_id": "4725",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2820",
+ "time_created": "2019-09-06T13:28:55.264Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json
new file mode 100644
index 000000000..58bd492bf
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json
@@ -0,0 +1,124 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:04:53.251Z",
+ "event": {
+ "kind": "event",
+ "code": 4726,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "winlog": {
+ "event_id": 4726,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "WIN-41OB2LO92CR",
+ "keywords": [
+ "Audit Success"
+ ],
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "record_id": 2851,
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "level": "information",
+ "channel": "Security",
+ "opcode": "Info",
+ "time_created": "2019-09-06T13:35:25.515Z",
+ "outcome": "success",
+ "event_data": {
+ "TargetUserName": "audittest23",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "PrivilegeList": "-"
+ },
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 1980
+ }
+ }
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:04:53.252Z",
+ "event": {
+ "kind": "event",
+ "code": 4726,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml"
+ },
+ "level": "information"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "winlog": {
+ "level": "information",
+ "channel": "Security",
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_id": 4726,
+ "computer_name": "WIN-41OB2LO92CR",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "time_created": "2019-09-06T13:35:29.690Z",
+ "outcome": "success",
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "opcode": "Info",
+ "event_data": {
+ "SubjectLogonId": "0x264b2",
+ "PrivilegeList": "-",
+ "TargetUserName": "audittest",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR"
+ },
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "record_id": 2857
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json
new file mode 100644
index 000000000..95340ef62
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json
@@ -0,0 +1,178 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:35:25.515Z",
+ "agent": {
+ "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "deleted-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4726",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "deletion"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest23"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1001",
+ "name": "audittest23"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "PrivilegeList": "-",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001",
+ "TargetUserName": "audittest23"
+ },
+ "event_id": "4726",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 1980
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2851",
+ "time_created": "2019-09-06T13:35:25.515Z"
+ }
+ },
+ {
+ "@timestamp": "2019-09-06T13:35:29.690Z",
+ "agent": {
+ "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "deleted-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4726",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "deletion"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "name": "audittest"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "PrivilegeList": "-",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "TargetUserName": "audittest"
+ },
+ "event_id": "4726",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2857",
+ "time_created": "2019-09-06T13:35:29.690Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json
new file mode 100644
index 000000000..8b12f4c9b
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json
@@ -0,0 +1,83 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:08:39.068Z",
+ "event": {
+ "kind": "event",
+ "code": 4738,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.xml"
+ },
+ "level": "information"
+ },
+ "agent": {
+ "ephemeral_id": "8233890e-f67f-456f-833c-9695ee1564d6",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "winlog": {
+ "event_id": 4738,
+ "record_id": 2862,
+ "outcome": "success",
+ "level": "information",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "AccountExpires": "%%1794",
+ "PrimaryGroupId": "513",
+ "AllowedToDelegateTo": "-",
+ "OldUacValue": "0x210",
+ "UserAccountControl": "-",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SamAccountName": "elastictest1",
+ "PrivilegeList": "-",
+ "PasswordLastSet": "6/9/2019 10:30:28",
+ "TargetUserName": "elastictest1",
+ "HomeDirectory": "%%1793",
+ "UserParameters": "%%1793",
+ "LogonHours": "%%1797",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "UserPrincipalName": "-",
+ "ScriptPath": "%%1793",
+ "Dummy": "-",
+ "DisplayName": "elastictest1",
+ "SidHistory": "-",
+ "UserWorkstations": "%%1793",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "ProfilePath": "%%1793",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "HomePath": "%%1793",
+ "NewUacValue": "0x210"
+ },
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "keywords": [
+ "Audit Success"
+ ],
+ "time_created": "2019-09-06T13:36:17.566Z",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 1980
+ }
+ },
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json
new file mode 100644
index 000000000..d36c9aaa9
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json
@@ -0,0 +1,114 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:36:17.566Z",
+ "agent": {
+ "ephemeral_id": "8233890e-f67f-456f-833c-9695ee1564d6",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "modified-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4738",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "elastictest1"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "name": "elastictest1"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "AccountExpires": "%%1794",
+ "AllowedToDelegateTo": "-",
+ "DisplayName": "elastictest1",
+ "Dummy": "-",
+ "HomeDirectory": "%%1793",
+ "HomePath": "%%1793",
+ "LogonHours": "%%1797",
+ "NewUACList": [
+ "LOCKOUT",
+ "NORMAL_ACCOUNT"
+ ],
+ "NewUacValue": "0x210",
+ "OldUacValue": "0x210",
+ "PasswordLastSet": "6/9/2019 10:30:28",
+ "PrimaryGroupId": "513",
+ "PrivilegeList": "-",
+ "ProfilePath": "%%1793",
+ "SamAccountName": "elastictest1",
+ "ScriptPath": "%%1793",
+ "SidHistory": "-",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "TargetUserName": "elastictest1",
+ "UserAccountControl": "-",
+ "UserParameters": "%%1793",
+ "UserPrincipalName": "-",
+ "UserWorkstations": "%%1793"
+ },
+ "event_id": "4738",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 1980
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2862",
+ "time_created": "2019-09-06T13:36:17.566Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json
new file mode 100644
index 000000000..464d7367e
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json
@@ -0,0 +1,63 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:05:28.445Z",
+ "event": {
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "kind": "event",
+ "code": 4740
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "version": "8.0.0",
+ "ephemeral_id": "8caa1f31-d548-434d-ac5b-f3725137fe68",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat"
+ },
+ "winlog": {
+ "record_id": 2883,
+ "computer_name": "WIN-41OB2LO92CR",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "event_id": 4740,
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "time_created": "2019-09-06T13:39:43.085Z",
+ "outcome": "success",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "opcode": "Info",
+ "level": "information",
+ "event_data": {
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "SubjectUserSid": "S-1-5-18",
+ "SubjectUserName": "WIN-41OB2LO92CR$",
+ "SubjectDomainName": "WORKGROUP",
+ "SubjectLogonId": "0x3e7",
+ "TargetUserName": "elastictest1",
+ "TargetDomainName": "WIN-41OB2LO92CR"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json
new file mode 100644
index 000000000..411f20733
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json
@@ -0,0 +1,90 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:39:43.085Z",
+ "agent": {
+ "ephemeral_id": "8caa1f31-d548-434d-ac5b-f3725137fe68",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "locked-out-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4740",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "WIN-41OB2LO92CR$",
+ "elastictest1"
+ ]
+ },
+ "user": {
+ "domain": "WORKGROUP",
+ "id": "S-1-5-18",
+ "name": "WIN-41OB2LO92CR$",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "name": "elastictest1"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "SubjectDomainName": "WORKGROUP",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "WIN-41OB2LO92CR$",
+ "SubjectUserSid": "S-1-5-18",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "TargetUserName": "elastictest1"
+ },
+ "event_id": "4740",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 532
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2883",
+ "time_created": "2019-09-06T13:39:43.085Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json
new file mode 100644
index 000000000..7396bdcdd
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json
@@ -0,0 +1,63 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:05:23.416Z",
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "ephemeral_id": "7ab867f5-fdb6-44f7-8d6a-15aa3b0a5d7d",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "winlog": {
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 2892,
+ "time_created": "2019-09-06T13:40:52.314Z",
+ "level": "information",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 808
+ }
+ },
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "event_id": 4767,
+ "computer_name": "WIN-41OB2LO92CR",
+ "opcode": "Info",
+ "outcome": "success",
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "event_data": {
+ "TargetUserName": "elastictest1",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2"
+ }
+ },
+ "event": {
+ "outcome": "success",
+ "kind": "event",
+ "code": 4767,
+ "provider": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json
new file mode 100644
index 000000000..bcb1f1f98
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json
@@ -0,0 +1,90 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:40:52.314Z",
+ "agent": {
+ "ephemeral_id": "7ab867f5-fdb6-44f7-8d6a-15aa3b0a5d7d",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "unlocked-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4767",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "elastictest1"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "name": "elastictest1"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "TargetUserName": "elastictest1"
+ },
+ "event_id": "4767",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2892",
+ "time_created": "2019-09-06T13:40:52.314Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json
new file mode 100644
index 000000000..10af170bf
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json
@@ -0,0 +1,126 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:08:29.043Z",
+ "log": {
+ "level": "information",
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml"
+ }
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "winlog": {
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "WIN-41OB2LO92CR",
+ "keywords": [
+ "Audit Success"
+ ],
+ "time_created": "2019-09-06T13:38:17.556Z",
+ "channel": "Security",
+ "event_id": 4781,
+ "record_id": 2873,
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 808
+ }
+ },
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "outcome": "success",
+ "level": "information",
+ "event_data": {
+ "NewTargetUserName": "audittest06",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "OldTargetUserName": "audittest0609",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "PrivilegeList": "-"
+ }
+ },
+ "event": {
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "kind": "event",
+ "code": 4781
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:08:29.044Z",
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391"
+ },
+ "winlog": {
+ "computer_name": "WIN-41OB2LO92CR",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "level": "information",
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "event_id": 4781,
+ "keywords": [
+ "Audit Success"
+ ],
+ "time_created": "2019-09-06T13:38:23.516Z",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 2875,
+ "outcome": "success",
+ "channel": "Security",
+ "event_data": {
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "SubjectUserName": "Administrator",
+ "SubjectLogonId": "0x264b2",
+ "PrivilegeList": "-",
+ "OldTargetUserName": "audittest06",
+ "NewTargetUserName": "audittest0609",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "SubjectDomainName": "WIN-41OB2LO92CR"
+ }
+ },
+ "event": {
+ "code": 4781,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "kind": "event"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json
new file mode 100644
index 000000000..9fc26d48b
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json
@@ -0,0 +1,184 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-09-06T13:38:17.556Z",
+ "agent": {
+ "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "renamed-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4781",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest06",
+ "audittest0609"
+ ]
+ },
+ "user": {
+ "changes": {
+ "name": "audittest06"
+ },
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "name": "audittest0609"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "NewTargetUserName": "audittest06",
+ "OldTargetUserName": "audittest0609",
+ "PrivilegeList": "-",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006"
+ },
+ "event_id": "4781",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2873",
+ "time_created": "2019-09-06T13:38:17.556Z"
+ }
+ },
+ {
+ "@timestamp": "2019-09-06T13:38:23.516Z",
+ "agent": {
+ "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "renamed-user-account",
+ "category": [
+ "iam"
+ ],
+ "code": "4781",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "user",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator",
+ "audittest0609",
+ "audittest06"
+ ]
+ },
+ "user": {
+ "changes": {
+ "name": "audittest0609"
+ },
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator",
+ "target": {
+ "name": "audittest06"
+ }
+ },
+ "winlog": {
+ "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "NewTargetUserName": "audittest0609",
+ "OldTargetUserName": "audittest06",
+ "PrivilegeList": "-",
+ "SubjectDomainName": "WIN-41OB2LO92CR",
+ "SubjectLogonId": "0x264b2",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006"
+ },
+ "event_id": "4781",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x264b2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "2875",
+ "time_created": "2019-09-06T13:38:23.516Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json
new file mode 100644
index 000000000..433a6d735
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json
@@ -0,0 +1,116 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:05:03.307Z",
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490"
+ },
+ "winlog": {
+ "channel": "Security",
+ "event_id": 4634,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "opcode": "Info",
+ "time_created": "2019-05-17T11:06:58.210Z",
+ "outcome": "success",
+ "process": {
+ "pid": 776,
+ "thread": {
+ "id": 540
+ }
+ },
+ "record_id": 485,
+ "computer_name": "WIN-41OB2LO92CR",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "level": "information",
+ "event_data": {
+ "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "TargetUserName": "audittest",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetLogonId": "0x767a77",
+ "LogonType": "3"
+ }
+ },
+ "event": {
+ "kind": "event",
+ "code": 4634,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml"
+ },
+ "level": "information"
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:05:03.307Z",
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "agent": {
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17"
+ },
+ "winlog": {
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "channel": "Security",
+ "event_id": 4634,
+ "record_id": 747,
+ "computer_name": "WIN-41OB2LO92CR",
+ "level": "information",
+ "event_data": {
+ "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "TargetUserName": "Administrator",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetLogonId": "0x104a4a6",
+ "LogonType": "3"
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "time_created": "2019-05-19T16:15:38.542Z",
+ "outcome": "success"
+ },
+ "event": {
+ "kind": "event",
+ "code": 4634,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json
new file mode 100644
index 000000000..599cf204d
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json
@@ -0,0 +1,158 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-05-17T11:06:58.210Z",
+ "agent": {
+ "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "logged-out",
+ "category": [
+ "authentication"
+ ],
+ "code": "4634",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "audittest"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "name": "audittest"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "LogonType": "3",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetLogonId": "0x767a77",
+ "TargetUserName": "audittest",
+ "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000"
+ },
+ "event_id": "4634",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x767a77",
+ "type": "Network"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 776,
+ "thread": {
+ "id": 540
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "485",
+ "time_created": "2019-05-17T11:06:58.210Z"
+ }
+ },
+ {
+ "@timestamp": "2019-05-19T16:15:38.542Z",
+ "agent": {
+ "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "logged-out",
+ "category": [
+ "authentication"
+ ],
+ "code": "4634",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "Administrator"
+ ]
+ },
+ "user": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR",
+ "event_data": {
+ "LogonType": "3",
+ "TargetDomainName": "WIN-41OB2LO92CR",
+ "TargetLogonId": "0x104a4a6",
+ "TargetUserName": "Administrator",
+ "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500"
+ },
+ "event_id": "4634",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x104a4a6",
+ "type": "Network"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 780,
+ "thread": {
+ "id": 820
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "747",
+ "time_created": "2019-05-19T16:15:38.542Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json
new file mode 100644
index 000000000..4609e0076
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json
@@ -0,0 +1,71 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:03:52.909Z",
+ "winlog": {
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 5076
+ }
+ },
+ "record_id": 5010,
+ "level": "information",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "computer_name": "vagrant",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "version": 2,
+ "time_created": "2019-11-14T17:10:15.151Z",
+ "channel": "Security",
+ "event_id": 4688,
+ "event_data": {
+ "SubjectDomainName": "VAGRANT",
+ "SubjectLogonId": "0x274a2",
+ "TargetDomainName": "-",
+ "MandatoryLabel": "S-1-16-12288",
+ "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "NewProcessId": "0x11cc",
+ "TokenElevationType": "%%1937",
+ "ProcessId": "0x122c",
+ "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",
+ "TargetUserName": "-",
+ "SubjectUserName": "vagrant",
+ "TargetUserSid": "S-1-0-0",
+ "TargetLogonId": "0x0",
+ "ParentProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+ "NewProcessName": "C:\\Windows\\System32\\wevtutil.exe"
+ }
+ },
+ "event": {
+ "kind": "event",
+ "code": 4688,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "agent": {
+ "ephemeral_id": "533cc04e-1719-48a1-ac94-731ac0fffcb7",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json
new file mode 100644
index 000000000..d69d247ab
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json
@@ -0,0 +1,107 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-11-14T17:10:15.151Z",
+ "agent": {
+ "ephemeral_id": "533cc04e-1719-48a1-ac94-731ac0fffcb7",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "created-process",
+ "category": [
+ "process"
+ ],
+ "code": "4688",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "start"
+ ]
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml"
+ },
+ "level": "information"
+ },
+ "process": {
+ "args": [
+ "\"C:\\Windows\\system32\\wevtutil.exe\"",
+ "cl",
+ "Security"
+ ],
+ "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",
+ "executable": "C:\\Windows\\System32\\wevtutil.exe",
+ "name": "wevtutil.exe",
+ "parent": {
+ "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+ "name": "powershell.exe",
+ "pid": 4652
+ },
+ "pid": 4556
+ },
+ "related": {
+ "user": [
+ "vagrant"
+ ]
+ },
+ "user": {
+ "domain": "VAGRANT",
+ "effective": {
+ "id": "S-1-0-0"
+ },
+ "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "name": "vagrant"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "vagrant",
+ "event_data": {
+ "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",
+ "MandatoryLabel": "S-1-16-12288",
+ "ProcessId": "0x122c",
+ "SubjectDomainName": "VAGRANT",
+ "SubjectLogonId": "0x274a2",
+ "SubjectUserName": "vagrant",
+ "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "TargetDomainName": "-",
+ "TargetLogonId": "0x0",
+ "TargetUserName": "-",
+ "TargetUserSid": "S-1-0-0",
+ "TokenElevationType": "%%1937"
+ },
+ "event_id": "4688",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x274a2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 5076
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "5010",
+ "time_created": "2019-11-14T17:10:15.151Z",
+ "version": 2
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json
new file mode 100644
index 000000000..a1e6f6799
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json
@@ -0,0 +1,178 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:07:58.995Z",
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "agent": {
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6"
+ },
+ "winlog": {
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "time_created": "2019-11-14T21:26:49.496Z",
+ "event_data": {
+ "Status": "0x0",
+ "ProcessId": "0x1524",
+ "ProcessName": "C:\\Windows\\System32\\wevtutil.exe",
+ "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "SubjectUserName": "vagrant",
+ "SubjectDomainName": "VAGRANT",
+ "SubjectLogonId": "0x274a2"
+ },
+ "channel": "Security",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "vagrant",
+ "opcode": "Info",
+ "outcome": "success",
+ "level": "information",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 1168
+ }
+ },
+ "event_id": 4689,
+ "record_id": 7538,
+ "keywords": [
+ "Audit Success"
+ ]
+ },
+ "event": {
+ "code": 4689,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "kind": "event"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml"
+ },
+ "level": "information"
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:07:58.995Z",
+ "host": {
+ "name": "vagrant"
+ },
+ "agent": {
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "winlog": {
+ "channel": "Security",
+ "event_id": 4689,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 7542,
+ "computer_name": "vagrant",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "outcome": "success",
+ "level": "information",
+ "event_data": {
+ "ProcessName": "C:\\Windows\\System32\\taskhostw.exe",
+ "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "SubjectUserName": "vagrant",
+ "SubjectDomainName": "VAGRANT",
+ "SubjectLogonId": "0x274f1",
+ "Status": "0x0",
+ "ProcessId": "0xf94"
+ },
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 500
+ }
+ },
+ "opcode": "Info",
+ "time_created": "2019-11-14T21:27:46.960Z"
+ },
+ "event": {
+ "code": 4689,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "kind": "event"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml"
+ },
+ "level": "information"
+ }
+ },
+ {
+ "@timestamp": "2021-04-15T19:07:58.995Z",
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "agent": {
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain"
+ },
+ "winlog": {
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "channel": "Security",
+ "record_id": 7544,
+ "computer_name": "vagrant",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "time_created": "2019-11-14T21:28:18.460Z",
+ "outcome": "success",
+ "event_data": {
+ "ProcessName": "C:\\Windows\\System32\\wevtutil.exe",
+ "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "SubjectUserName": "vagrant",
+ "SubjectDomainName": "VAGRANT",
+ "SubjectLogonId": "0x274a2",
+ "Status": "0x0",
+ "ProcessId": "0xac8"
+ },
+ "event_id": 4689,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 5636
+ }
+ }
+ },
+ "event": {
+ "kind": "event",
+ "code": 4689,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json
new file mode 100644
index 000000000..037053f39
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json
@@ -0,0 +1,247 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-11-14T21:26:49.496Z",
+ "agent": {
+ "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "exited-process",
+ "category": [
+ "process"
+ ],
+ "code": "4689",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml"
+ },
+ "level": "information"
+ },
+ "process": {
+ "executable": "C:\\Windows\\System32\\wevtutil.exe",
+ "name": "wevtutil.exe",
+ "pid": 5412
+ },
+ "related": {
+ "user": [
+ "vagrant"
+ ]
+ },
+ "user": {
+ "domain": "VAGRANT",
+ "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "name": "vagrant"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "vagrant",
+ "event_data": {
+ "Status": "0x0",
+ "SubjectDomainName": "VAGRANT",
+ "SubjectLogonId": "0x274a2",
+ "SubjectUserName": "vagrant",
+ "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000"
+ },
+ "event_id": "4689",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x274a2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 1168
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "7538",
+ "time_created": "2019-11-14T21:26:49.496Z"
+ }
+ },
+ {
+ "@timestamp": "2019-11-14T21:27:46.960Z",
+ "agent": {
+ "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "exited-process",
+ "category": [
+ "process"
+ ],
+ "code": "4689",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml"
+ },
+ "level": "information"
+ },
+ "process": {
+ "executable": "C:\\Windows\\System32\\taskhostw.exe",
+ "name": "taskhostw.exe",
+ "pid": 3988
+ },
+ "related": {
+ "user": [
+ "vagrant"
+ ]
+ },
+ "user": {
+ "domain": "VAGRANT",
+ "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "name": "vagrant"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "vagrant",
+ "event_data": {
+ "Status": "0x0",
+ "SubjectDomainName": "VAGRANT",
+ "SubjectLogonId": "0x274f1",
+ "SubjectUserName": "vagrant",
+ "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000"
+ },
+ "event_id": "4689",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x274f1"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 500
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "7542",
+ "time_created": "2019-11-14T21:27:46.960Z"
+ }
+ },
+ {
+ "@timestamp": "2019-11-14T21:28:18.460Z",
+ "agent": {
+ "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "exited-process",
+ "category": [
+ "process"
+ ],
+ "code": "4689",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml"
+ },
+ "level": "information"
+ },
+ "process": {
+ "executable": "C:\\Windows\\System32\\wevtutil.exe",
+ "name": "wevtutil.exe",
+ "pid": 2760
+ },
+ "related": {
+ "user": [
+ "vagrant"
+ ]
+ },
+ "user": {
+ "domain": "VAGRANT",
+ "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+ "name": "vagrant"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "vagrant",
+ "event_data": {
+ "Status": "0x0",
+ "SubjectDomainName": "VAGRANT",
+ "SubjectLogonId": "0x274a2",
+ "SubjectUserName": "vagrant",
+ "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000"
+ },
+ "event_id": "4689",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x274a2"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 5636
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "7544",
+ "time_created": "2019-11-14T21:28:18.460Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json
new file mode 100644
index 000000000..5f9005013
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json
@@ -0,0 +1,28 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:07:13.883Z",
+ "winlog": {
+ "keywords": [
+ "Unknown Event ID"
+ ],
+ "time_created": "2019-11-07T10:37:04.226Z",
+ "outcome": "success",
+ "level": "information",
+ "channel": "Security",
+ "event_id": 65536,
+ "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+ "opcode": "Info",
+ "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
+ "provider_name": "Microsoft-Windows-Eventlog",
+ "record_id": 65536
+ },
+ "event": {
+ "code": 65536,
+ "provider": "Microsoft-Windows-Eventlog",
+ "outcome": "success",
+ "kind": "event"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json
new file mode 100644
index 000000000..bc2f80493
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json
@@ -0,0 +1,34 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-11-07T10:37:04.226Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "code": "65536",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Eventlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+ "event_id": "65536",
+ "keywords": [
+ "Unknown Event ID"
+ ],
+ "level": "information",
+ "opcode": "Info",
+ "outcome": "success",
+ "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
+ "provider_name": "Microsoft-Windows-Eventlog",
+ "record_id": "65536",
+ "time_created": "2019-11-07T10:37:04.226Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/security/_dev/test/system/test-default-config.yml b/test/packages/parallel/system/data_stream/security/_dev/test/system/test-default-config.yml
new file mode 100644
index 000000000..53e0095b6
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/_dev/test/system/test-default-config.yml
@@ -0,0 +1,11 @@
+input: httpjson
+service: security
+service_notify_signal: SIGHUP
+vars:
+ url: http://{{Hostname}}:{{Port}}/api/v1/logs
+ username: test
+ password: test
+ preserve_original_event: true
+ enable_request_tracer: true
+data_stream:
+ vars: ~
diff --git a/test/packages/parallel/system/data_stream/security/agent/stream/httpjson.yml.hbs b/test/packages/parallel/system/data_stream/security/agent/stream/httpjson.yml.hbs
new file mode 100644
index 000000000..7423be6f1
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,97 @@
+config_version: "2"
+interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+ index_earliest:
+ value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+ - set:
+ target: url.params.search
+ value: |-
+ {{search}} | streamstats max(_indextime) AS max_indextime
+ - set:
+ target: url.params.output_mode
+ value: "json"
+ - set:
+ target: url.params.index_earliest
+ value: '[[ .cursor.index_earliest ]]'
+ default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+ - set:
+ target: url.params.index_latest
+ value: '[[(now).Unix]]'
+ - set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+ - set:
+ target: header.Authorization
+ value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+ - decode_json_fields:
+ fields: message
+ target: json
+ add_error_key: true
+ - drop_event:
+ when:
+ not:
+ has_fields: ['json.result']
+ - fingerprint:
+ fields:
+ - json.result._cd
+ - json.result._indextime
+ - json.result._raw
+ - json.result._time
+ - json.result.host
+ - json.result.source
+ target_field: "@metadata._id"
+ - drop_fields:
+ fields: message
+ - rename:
+ fields:
+ - from: json.result._raw
+ to: event.original
+ - from: json.result.host
+ to: host.name
+ - from: json.result.source
+ to: event.provider
+ ignore_missing: true
+ fail_on_error: false
+ - drop_fields:
+ fields: json
+ - decode_xml_wineventlog:
+ field: event.original
+ target_field: winlog
+ ignore_missing: true
+ ignore_failure: true
+ map_ecs_fields: true
diff --git a/test/packages/parallel/system/data_stream/security/agent/stream/winlog.yml.hbs b/test/packages/parallel/system/data_stream/security/agent/stream/winlog.yml.hbs
new file mode 100644
index 000000000..0b2f99c8e
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/agent/stream/winlog.yml.hbs
@@ -0,0 +1,24 @@
+name: Security
+condition: ${host.platform} == 'windows'
+{{#if event_id}}
+event_id: {{event_id}}
+{{/if}}
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
+{{#if language}}
+language: {{language}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{/if}}
+{{#if preserve_original_event}}
+include_xml: true
+{{/if}}
+{{#if processors.length}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 000000000..7d6cf336f
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,81 @@
+---
+description: Pipeline for Security events
+processors:
+ - convert:
+ field: event.code
+ type: string
+ ignore_missing: true
+ - pipeline:
+ name: '{{ IngestPipeline "standard" }}'
+ if: 'ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)'
+ - gsub:
+ field: source.ip
+ pattern: "::ffff:"
+ replacement: ""
+ ignore_missing: true
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value: '{{source.ip}}'
+ allow_duplicates: false
+ if: |-
+ ctx?.source?.ip != null &&
+ ctx.source.ip != "-"
+ - convert:
+ field: winlog.record_id
+ type: string
+ ignore_missing: true
+ - convert:
+ field: winlog.event_id
+ type: string
+ ignore_missing: true
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - set:
+ field: log.level
+ copy_from: winlog.level
+ ignore_empty_value: true
+ ignore_failure: true
+ if: ctx?.winlog?.level != ""
+ - date:
+ field: winlog.time_created
+ tag: "time_created_date"
+ formats:
+ - ISO8601
+ if: ctx.winlog?.time_created != null
+ on_failure:
+ - remove:
+ field: winlog.time_created
+ ignore_failure: true
+ - append:
+ field: error.message
+ value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
+ - fail:
+ message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
+on_failure:
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
new file mode 100644
index 000000000..12da0566c
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
@@ -0,0 +1,3461 @@
+---
+description: Pipeline for Windows Security events
+processors:
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set ECS categorization fields
+ description: Set ECS categorization fields
+ params:
+ "1100":
+ category:
+ - process
+ type:
+ - end
+ action: logging-service-shutdown
+ "1102":
+ category:
+ - iam
+ type:
+ - admin
+ - change
+ action: audit-log-cleared
+ "1104":
+ category:
+ - iam
+ type:
+ - admin
+ action: logging-full
+ "1105":
+ category:
+ - iam
+ type:
+ - admin
+ action: auditlog-archieved
+ "1108":
+ category:
+ - iam
+ type:
+ - admin
+ action: logging-processing-error
+ "4610":
+ category:
+ - configuration
+ type:
+ - access
+ action: authentication-package-loaded
+ "4611":
+ category:
+ - configuration
+ type:
+ - change
+ action: trusted-logon-process-registered
+ "4614":
+ category:
+ - configuration
+ type:
+ - access
+ action: notification-package-loaded
+ "4616":
+ category:
+ - configuration
+ type:
+ - change
+ action: system-time-changed
+ "4622":
+ category:
+ - configuration
+ type:
+ - access
+ action: security-package-loaded
+ "4624":
+ category:
+ - authentication
+ type:
+ - start
+ action: logged-in
+ "4625":
+ category:
+ - authentication
+ type:
+ - start
+ action: logon-failed
+ "4634":
+ category:
+ - authentication
+ type:
+ - end
+ action: logged-out
+ "4647":
+ category:
+ - authentication
+ type:
+ - end
+ action: logged-out
+ "4648":
+ category:
+ - authentication
+ type:
+ - start
+ action: logged-in-explicit
+ "4657":
+ category:
+ - registry
+ - configuration
+ type:
+ - change
+ action: registry-value-modified
+ "4670":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: permissions-changed
+ "4672":
+ category:
+ - iam
+ type:
+ - admin
+ action: logged-in-special
+ "4673":
+ category:
+ - iam
+ type:
+ - admin
+ action: privileged-service-called
+ "4674":
+ category:
+ - iam
+ type:
+ - admin
+ action: privileged-operation
+ "4688":
+ category:
+ - process
+ type:
+ - start
+ action: created-process
+ "4689":
+ category:
+ - process
+ type:
+ - end
+ action: exited-process
+ "4697":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: service-installed
+ "4698":
+ category:
+ - iam
+ - configuration
+ type:
+ - creation
+ - admin
+ action: scheduled-task-created
+ "4699":
+ category:
+ - iam
+ - configuration
+ type:
+ - deletion
+ - admin
+ action: scheduled-task-deleted
+ "4700":
+ category:
+ - iam
+ - configuration
+ type:
+ - change
+ - admin
+ action: scheduled-task-enabled
+ "4701":
+ category:
+ - iam
+ - configuration
+ type:
+ - change
+ - admin
+ action: scheduled-task-disabled
+ "4702":
+ category:
+ - iam
+ - configuration
+ type:
+ - change
+ - admin
+ action: scheduled-task-updated
+ "4706":
+ category:
+ - configuration
+ type:
+ - creation
+ action: domain-trust-added
+ "4707":
+ category:
+ - configuration
+ type:
+ - deletion
+ action: domain-trust-removed
+ "4713":
+ category:
+ - configuration
+ type:
+ - change
+ action: kerberos-policy-changed
+ "4714":
+ category:
+ - configuration
+ type:
+ - change
+ action: encrypted-data-recovery-policy-changed
+ "4715":
+ category:
+ - configuration
+ type:
+ - change
+ action: object-audit-policy-changed
+ "4716":
+ category:
+ - configuration
+ type:
+ - change
+ action: trusted-domain-information-changed
+ "4717":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: system-security-access-granted
+ "4718":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - deletion
+ action: system-security-access-removed
+ "4719":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: changed-audit-config
+ "4720":
+ category:
+ - iam
+ type:
+ - user
+ - creation
+ action: added-user-account
+ "4722":
+ category:
+ - iam
+ type:
+ - user
+ - change
+ action: enabled-user-account
+ "4723":
+ category:
+ - iam
+ type:
+ - user
+ - change
+ action: changed-password
+ "4724":
+ category:
+ - iam
+ type:
+ - user
+ - change
+ action: reset-password
+ "4725":
+ category:
+ - iam
+ type:
+ - user
+ - deletion
+ action: disabled-user-account
+ "4726":
+ category:
+ - iam
+ type:
+ - user
+ - deletion
+ action: deleted-user-account
+ "4727":
+ category:
+ - iam
+ type:
+ - group
+ - creation
+ action: added-group-account
+ "4728":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: added-member-to-group
+ "4729":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: removed-member-from-group
+ "4730":
+ category:
+ - iam
+ type:
+ - group
+ - deletion
+ action: deleted-group-account
+ "4731":
+ category:
+ - iam
+ type:
+ - group
+ - creation
+ action: added-group-account
+ "4732":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: added-member-to-group
+ "4733":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: removed-member-from-group
+ "4734":
+ category:
+ - iam
+ type:
+ - group
+ - deletion
+ action: deleted-group-account
+ "4735":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: modified-group-account
+ "4737":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: modified-group-account
+ "4738":
+ category:
+ - iam
+ type:
+ - user
+ - change
+ action: modified-user-account
+ "4739":
+ category:
+ - configuration
+ type:
+ - change
+ action: domain-policy-changed
+ "4740":
+ category:
+ - iam
+ type:
+ - user
+ - change
+ action: locked-out-user-account
+ "4741":
+ category:
+ - iam
+ type:
+ - creation
+ - admin
+ action: added-computer-account
+ "4742":
+ category:
+ - iam
+ type:
+ - change
+ - admin
+ action: changed-computer-account
+ "4743":
+ category:
+ - iam
+ type:
+ - deletion
+ - admin
+ action: deleted-computer-account
+ "4744":
+ category:
+ - iam
+ type:
+ - group
+ - creation
+ action: added-distribution-group-account
+ "4745":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: changed-distribution-group-account
+ "4746":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: added-member-to-distribution-group
+ "4747":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: removed-member-from-distribution-group
+ "4748":
+ category:
+ - iam
+ type:
+ - group
+ - deletion
+ action: deleted-distribution-group-account
+ "4749":
+ category:
+ - iam
+ type:
+ - group
+ - creation
+ action: added-distribution-group-account
+ "4750":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: changed-distribution-group-account
+ "4751":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: added-member-to-distribution-group
+ "4752":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: removed-member-from-distribution-group
+ "4753":
+ category:
+ - iam
+ type:
+ - group
+ - deletion
+ action: deleted-distribution-group-account
+ "4754":
+ category:
+ - iam
+ type:
+ - group
+ - creation
+ action: added-group-account
+ "4755":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: modified-group-account
+ "4756":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: added-member-to-group
+ "4757":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: removed-member-from-group
+ "4758":
+ category:
+ - iam
+ type:
+ - group
+ - deletion
+ action: deleted-group-account
+ "4759":
+ category:
+ - iam
+ type:
+ - group
+ - creation
+ action: added-distribution-group-account
+ "4760":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: changed-distribution-group-account
+ "4761":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: added-member-to-distribution-group
+ "4762":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: removed-member-from-distribution-group
+ "4763":
+ category:
+ - iam
+ type:
+ - group
+ - deletion
+ action: deleted-distribution-group-account
+ "4764":
+ category:
+ - iam
+ type:
+ - group
+ - change
+ action: type-changed-group-account
+ "4767":
+ category:
+ - iam
+ type:
+ - user
+ - change
+ action: unlocked-user-account
+ "4768":
+ category:
+ - authentication
+ type:
+ - start
+ action: kerberos-authentication-ticket-requested
+ "4769":
+ category:
+ - authentication
+ type:
+ - start
+ action: kerberos-service-ticket-requested
+ "4770":
+ category:
+ - authentication
+ type:
+ - start
+ action: kerberos-service-ticket-renewed
+ "4771":
+ category:
+ - authentication
+ type:
+ - start
+ action: kerberos-preauth-failed
+ "4776":
+ category:
+ - authentication
+ type:
+ - start
+ action: credential-validated
+ "4778":
+ category:
+ - authentication
+ - session
+ type:
+ - start
+ action: session-reconnected
+ "4779":
+ category:
+ - authentication
+ - session
+ type:
+ - end
+ action: session-disconnected
+ "4781":
+ category:
+ - iam
+ type:
+ - user
+ - change
+ action: renamed-user-account
+ "4797":
+ category:
+ - iam
+ type:
+ - user
+ - info
+ action: query-existence-of-blank-password
+ "4798":
+ category:
+ - iam
+ type:
+ - user
+ - info
+ action: group-membership-enumerated
+ "4799":
+ category:
+ - iam
+ type:
+ - group
+ - info
+ action: user-member-enumerated
+ "4817":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: object-audit-changed
+ "4902":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - creation
+ action: user-audit-policy-created
+ "4904":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: security-event-source-added
+ "4905":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - deletion
+ action: security-event-source-removed
+ "4906":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: crash-on-audit-changed
+ "4907":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: audit-setting-changed
+ "4908":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: special-group-table-changed
+ "4912":
+ category:
+ - iam
+ - configuration
+ type:
+ - admin
+ - change
+ action: per-user-audit-policy-changed
+ "4950":
+ category:
+ - configuration
+ type:
+ - change
+ action: windows-firewall-setting-changed
+ "4954":
+ category:
+ - configuration
+ type:
+ - change
+ action: windows-firewall-group-policy-changed
+ "4964":
+ category:
+ - iam
+ type:
+ - admin
+ - group
+ action: logged-in-special
+ "5024":
+ category:
+ - process
+ type:
+ - start
+ action: windows-firewall-service-started
+ "5025":
+ category:
+ - process
+ type:
+ - end
+ action: windows-firewall-service-stopped
+ "5033":
+ category:
+ - driver
+ type:
+ - start
+ action: windows-firewall-driver-started
+ "5034":
+ category:
+ - driver
+ type:
+ - end
+ action: windows-firewall-driver-stopped
+ "5037":
+ category:
+ - driver
+ type:
+ - end
+ action: windows-firewall-driver-error
+ "5379":
+ category:
+ - iam
+ type:
+ - user
+ - info
+ action: credential-manager-credentials-were-read
+ "5380":
+ category:
+ - iam
+ type:
+ - user
+ - info
+ action: vault-credential-find
+ "5381":
+ category:
+ - iam
+ type:
+ - user
+ - info
+ action: vault-credentials-were-read
+ "5382":
+ category:
+ - iam
+ type:
+ - user
+ - info
+ action: vault-credentials-were-read
+ "5140":
+ category:
+ - network
+ - file
+ type:
+ - info
+ - access
+ action: network-share-object-accessed
+ "5145":
+ category:
+ - network
+ - file
+ type:
+ - info
+ - access
+ action: network-share-object-access-checked
+ source: |-
+ if (ctx?.event?.code == null || params.get(ctx.event.code) == null) {
+ return;
+ }
+ def hm = new HashMap(params.get(ctx.event.code));
+ hm.forEach((k, v) -> ctx.event[k] = v);
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Logon Type
+ description: Set Logon Type
+# Logon Types
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
+ params:
+ "2": Interactive
+ "3": Network
+ "4": Batch
+ "5": Service
+ "7": Unlock
+ "8": NetworkCleartext
+ "9": NewCredentials
+ "10": RemoteInteractive
+ "11": CachedInteractive
+ source: |-
+ if (ctx?.winlog?.event_data?.LogonType == null) {
+ return;
+ }
+ def t = params.get(ctx.winlog.event_data.LogonType);
+ if (t == null) {
+ return;
+ }
+ if (ctx?.winlog?.logon == null ) {
+ Map map = new HashMap();
+ ctx.winlog.put("logon", map);
+ }
+ ctx.winlog.logon.put("type", t)
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set User Account Control
+ description: Set User Account Control
+ # User Account Control Attributes Table
+ # https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
+ params:
+ "0x00000001": SCRIPT
+ "0x00000002": ACCOUNTDISABLE
+ "0x00000008": HOMEDIR_REQUIRED
+ "0x00000010": LOCKOUT
+ "0x00000020": PASSWD_NOTREQD
+ "0x00000040": PASSWD_CANT_CHANGE
+ "0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED
+ "0x00000100": TEMP_DUPLICATE_ACCOUNT
+ "0x00000200": NORMAL_ACCOUNT
+ "0x00000800": INTERDOMAIN_TRUST_ACCOUNT
+ "0x00001000": WORKSTATION_TRUST_ACCOUNT
+ "0x00002000": SERVER_TRUST_ACCOUNT
+ "0x00010000": DONT_EXPIRE_PASSWORD
+ "0x00020000": MNS_LOGON_ACCOUNT
+ "0x00040000": SMARTCARD_REQUIRED
+ "0x00080000": TRUSTED_FOR_DELEGATION
+ "0x00100000": NOT_DELEGATED
+ "0x00200000": USE_DES_KEY_ONLY
+ "0x00400000": DONT_REQ_PREAUTH
+ "0x00800000": PASSWORD_EXPIRED
+ "0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION
+ "0x04000000": PARTIAL_SECRETS_ACCOUNT
+ source: |-
+ if (ctx.winlog?.event_data == null) {
+ return;
+ }
+ if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") {
+ return;
+ }
+ Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue);
+ ArrayList uacResult = new ArrayList();
+ for (entry in params.entrySet()) {
+ Long flag = Long.decode(entry.getKey());
+ if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) {
+ uacResult.add(entry.getValue());
+ }
+ }
+ if (uacResult.length == 0) {
+ return;
+ }
+ ctx.winlog.event_data.put("NewUACList", uacResult);
+ if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") {
+ return;
+ }
+ ArrayList uac_array = new ArrayList();
+ for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken("%%")) {
+ if (elem.trim().length() > 0) {
+ uac_array.add(elem.trim());
+ }
+ }
+ ctx.winlog.event_data.UserAccountControl = uac_array;
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Kerberos Ticket Options
+ description: Set Kerberos Ticket Options
+# Kerberos TGT and TGS Ticket Options
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
+ params:
+ "0x40000000": Forwardable
+ "0x20000000": Forwarded
+ "0x10000000": Proxiable
+ "0x08000000": Proxy
+ "0x04000000": Allow-postdate
+ "0x02000000": Postdated
+ "0x01000000": Invalid
+ "0x00800000": Renewable
+ "0x00400000": Initial
+ "0x00200000": Pre-authent
+ "0x00100000": Opt-hardware-auth
+ "0x00080000": Transited-policy-checked
+ "0x00040000": Ok-as-delegate
+ "0x00020000": Request-anonymous
+ "0x00010000": Name-canonicalize
+ "0x00000020": Disable-transited-check
+ "0x00000010": Renewable-ok
+ "0x00000008": Enc-tkt-in-skey
+ "0x00000002": Renew
+ "0x00000001": Validate
+ source: |-
+ if (ctx?.winlog?.event_data?.TicketOptions == null) {
+ return;
+ }
+ Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions);
+ ArrayList tDescs = new ArrayList();
+ for (entry in params.entrySet()) {
+ Long flag = Long.decode(entry.getKey());
+ if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) {
+ tDescs.add(entry.getValue());
+ }
+ }
+ if (tDescs.length == 0) {
+ return;
+ }
+ ctx.winlog.event_data.put("TicketOptionsDescription", tDescs);
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Kerberos Encryption Types
+ description: Set Kerberos Encryption Types
+ # Kerberos Encryption Types
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+ params:
+ "0x1": DES-CBC-CRC
+ "0x3": DES-CBC-MD5
+ "0x11": AES128-CTS-HMAC-SHA1-96
+ "0x12": AES256-CTS-HMAC-SHA1-96
+ "0x17": RC4-HMAC
+ "0x18": RC4-HMAC-EXP
+ "0xffffffff": FAIL
+ source: |-
+ if (ctx?.winlog?.event_data?.TicketEncryptionType == null) {
+ return;
+ }
+ ctx.winlog.event_data.put("TicketEncryptionTypeDescription",
+ params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()])
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Kerberos Ticket Status Codes
+ # Kerberos Result Status Codes
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+ description: Set Kerberos Ticket Status Codes
+ params:
+ "0x0": KDC_ERR_NONE
+ "0x1": KDC_ERR_NAME_EXP
+ "0x2": KDC_ERR_SERVICE_EXP
+ "0x3": KDC_ERR_BAD_PVNO
+ "0x4": KDC_ERR_C_OLD_MAST_KVNO
+ "0x5": KDC_ERR_S_OLD_MAST_KVNO
+ "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN
+ "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN
+ "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE
+ "0x9": KDC_ERR_NULL_KEY
+ "0xA": KDC_ERR_CANNOT_POSTDATE
+ "0xB": KDC_ERR_NEVER_VALID
+ "0xC": KDC_ERR_POLICY
+ "0xD": KDC_ERR_BADOPTION
+ "0xE": KDC_ERR_ETYPE_NOTSUPP
+ "0xF": KDC_ERR_SUMTYPE_NOSUPP
+ "0x10": KDC_ERR_PADATA_TYPE_NOSUPP
+ "0x11": KDC_ERR_TRTYPE_NO_SUPP
+ "0x12": KDC_ERR_CLIENT_REVOKED
+ "0x13": KDC_ERR_SERVICE_REVOKED
+ "0x14": KDC_ERR_TGT_REVOKED
+ "0x15": KDC_ERR_CLIENT_NOTYET
+ "0x16": KDC_ERR_SERVICE_NOTYET
+ "0x17": KDC_ERR_KEY_EXPIRED
+ "0x18": KDC_ERR_PREAUTH_FAILED
+ "0x19": KDC_ERR_PREAUTH_REQUIRED
+ "0x1A": KDC_ERR_SERVER_NOMATCH
+ "0x1B": KDC_ERR_MUST_USE_USER2USER
+ "0x1F": KRB_AP_ERR_BAD_INTEGRITY
+ "0x20": KRB_AP_ERR_TKT_EXPIRED
+ "0x21": KRB_AP_ERR_TKT_NYV
+ "0x22": KRB_AP_ERR_REPEAT
+ "0x23": KRB_AP_ERR_NOT_US
+ "0x24": KRB_AP_ERR_BADMATCH
+ "0x25": KRB_AP_ERR_SKEW
+ "0x26": KRB_AP_ERR_BADADDR
+ "0x27": KRB_AP_ERR_BADVERSION
+ "0x28": KRB_AP_ERR_MSG_TYPE
+ "0x29": KRB_AP_ERR_MODIFIED
+ "0x2A": KRB_AP_ERR_BADORDER
+ "0x2C": KRB_AP_ERR_BADKEYVER
+ "0x2D": KRB_AP_ERR_NOKEY
+ "0x2E": KRB_AP_ERR_MUT_FAIL
+ "0x2F": KRB_AP_ERR_BADDIRECTION
+ "0x30": KRB_AP_ERR_METHOD
+ "0x31": KRB_AP_ERR_BADSEQ
+ "0x32": KRB_AP_ERR_INAPP_CKSUM
+ "0x33": KRB_AP_PATH_NOT_ACCEPTED
+ "0x34": KRB_ERR_RESPONSE_TOO_BIG
+ "0x3C": KRB_ERR_GENERIC
+ "0x3D": KRB_ERR_FIELD_TOOLONG
+ "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED
+ "0x3F": KDC_ERR_KDC_NOT_TRUSTED
+ "0x40": KDC_ERR_INVALID_SIG
+ "0x41": KDC_ERR_KEY_TOO_WEAK
+ "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED
+ "0x43": KRB_AP_ERR_NO_TGT
+ "0x44": KDC_ERR_WRONG_REALM
+ source: |-
+ if (ctx?.winlog?.event_data?.Status == null ||
+ ctx?.event?.code == null ||
+ !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) {
+ return;
+ }
+ ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]);
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Service Type and Name
+ description: Set Service Type and Name
+ # Services Types
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
+ params:
+ "0x1": Kernel Driver
+ "0x2": File System Driver
+ "0x8": Recognizer Driver
+ "0x10": Win32 Own Process
+ "0x20": Win32 Share Process
+ "0x110": Interactive Own Process
+ "0x120": Interactive Share Process
+ source: |-
+ if (ctx?.winlog?.event_data?.ServiceName != null) {
+ if (ctx?.service == null) {
+ HashMap hm = new HashMap();
+ ctx.put("service", hm);
+ }
+ ctx.service.put("name", ctx.winlog.event_data.ServiceName);
+ }
+ if (ctx?.winlog.event_data?.ServiceType != null) {
+ if (ctx?.service == null) {
+ HashMap hm = new HashMap();
+ ctx.put("service", hm);
+ }
+ ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]);
+ }
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Audit Information
+ description: Set Audit Information
+ # Audit Categories Description
+ # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d
+ params:
+ "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"]
+ "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"]
+ "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"]
+ "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"]
+ "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"]
+ "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"]
+ "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"]
+ "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"]
+ "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"]
+ "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"]
+ "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"]
+ "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"]
+ "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"]
+ "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"]
+ "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"]
+ "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"]
+ "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"]
+ "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"]
+ "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"]
+ "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"]
+ "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"]
+ "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"]
+ "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"]
+ "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"]
+ "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"]
+ "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"]
+ "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"]
+ "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"]
+ "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"]
+ "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"]
+ "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"]
+ "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"]
+ "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"]
+ "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"]
+ "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"]
+ "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"]
+ "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"]
+ "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"]
+ "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"]
+ "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"]
+ "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"]
+ "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"]
+ "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"]
+ "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"]
+ "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"]
+ "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"]
+ "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"]
+ "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"]
+ "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"]
+ "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"]
+ "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"]
+ "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"]
+ "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"]
+ "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"]
+ "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"]
+ "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"]
+ "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"]
+ source: |-
+ if (ctx?.winlog?.event_data?.SubcategoryGuid == null) {
+ return;
+ }
+ def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase();
+ if (!params.containsKey(subCatGuid)) {
+ return;
+ }
+ ctx.winlog.event_data.put("Category", params[subCatGuid][1]);
+ ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]);
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Decode message table
+ description: Decode message table
+ # Message table extracted from msobjs.dll on Windows 2019.
+ # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012
+ # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks
+ # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b
+ params:
+ descriptions:
+ "279": "Undefined Access (no effect) Bit 7"
+ "1536": "Unused message ID"
+ "1537": "DELETE"
+ "1538": "READ_CONTROL"
+ "1539": "WRITE_DAC"
+ "1540": "WRITE_OWNER"
+ "1541": "SYNCHRONIZE"
+ "1542": "ACCESS_SYS_SEC"
+ "1543": "MAX_ALLOWED"
+ "1552": "Unknown specific access (bit 0)"
+ "1553": "Unknown specific access (bit 1)"
+ "1554": "Unknown specific access (bit 2)"
+ "1555": "Unknown specific access (bit 3)"
+ "1556": "Unknown specific access (bit 4)"
+ "1557": "Unknown specific access (bit 5)"
+ "1558": "Unknown specific access (bit 6)"
+ "1559": "Unknown specific access (bit 7)"
+ "1560": "Unknown specific access (bit 8)"
+ "1561": "Unknown specific access (bit 9)"
+ "1562": "Unknown specific access (bit 10)"
+ "1563": "Unknown specific access (bit 11)"
+ "1564": "Unknown specific access (bit 12)"
+ "1565": "Unknown specific access (bit 13)"
+ "1566": "Unknown specific access (bit 14)"
+ "1567": "Unknown specific access (bit 15)"
+ "1601": "Not used"
+ "1603": "Assign Primary Token Privilege"
+ "1604": "Lock Memory Privilege"
+ "1605": "Increase Memory Quota Privilege"
+ "1606": "Unsolicited Input Privilege"
+ "1607": "Trusted Computer Base Privilege"
+ "1608": "Security Privilege"
+ "1609": "Take Ownership Privilege"
+ "1610": "Load/Unload Driver Privilege"
+ "1611": "Profile System Privilege"
+ "1612": "Set System Time Privilege"
+ "1613": "Profile Single Process Privilege"
+ "1614": "Increment Base Priority Privilege"
+ "1615": "Create Pagefile Privilege"
+ "1616": "Create Permanent Object Privilege"
+ "1617": "Backup Privilege"
+ "1618": "Restore From Backup Privilege"
+ "1619": "Shutdown System Privilege"
+ "1620": "Debug Privilege"
+ "1621": "View or Change Audit Log Privilege"
+ "1622": "Change Hardware Environment Privilege"
+ "1623": "Change Notify (and Traverse) Privilege"
+ "1624": "Remotely Shut System Down Privilege"
+ "1792": ""
+ "1794": ""
+ "1795": "Enabled"
+ "1796": "Disabled"
+ "1797": "All"
+ "1798": "None"
+ "1799": "Audit Policy query/set API Operation"
+ "1800": ""
+ "1801": "Granted by"
+ "1802": "Denied by"
+ "1803": "Denied by Integrity Policy check"
+ "1804": "Granted by Ownership"
+ "1805": "Not granted"
+ "1806": "Granted by NULL DACL"
+ "1807": "Denied by Empty DACL"
+ "1808": "Granted by NULL Security Descriptor"
+ "1809": "Unknown or unchecked"
+ "1810": "Not granted due to missing"
+ "1811": "Granted by ACE on parent folder"
+ "1812": "Denied by ACE on parent folder"
+ "1813": "Granted by Central Access Rule"
+ "1814": "NOT Granted by Central Access Rule"
+ "1815": "Granted by parent folder's Central Access Rule"
+ "1816": "NOT Granted by parent folder's Central Access Rule"
+ "1817": "Unknown Type"
+ "1818": "String"
+ "1819": "Unsigned 64-bit Integer"
+ "1820": "64-bit Integer"
+ "1821": "FQBN"
+ "1822": "Blob"
+ "1823": "Sid"
+ "1824": "Boolean"
+ "1825": "TRUE"
+ "1826": "FALSE"
+ "1827": "Invalid"
+ "1828": "an ACE too long to display"
+ "1829": "a Security Descriptor too long to display"
+ "1830": "Not granted to AppContainers"
+ "1831": "..."
+ "1832": "Identification"
+ "1833": "Impersonation"
+ "1840": "Delegation"
+ "1841": "Denied by Process Trust Label ACE"
+ "1842": "Yes"
+ "1843": "No"
+ "1844": "System"
+ "1845": "Not Available"
+ "1846": "Default"
+ "1847": "DisallowMmConfig"
+ "1848": "Off"
+ "1849": "Auto"
+ "1872": "REG_NONE"
+ "1873": "REG_SZ"
+ "1874": "REG_EXPAND_SZ"
+ "1875": "REG_BINARY"
+ "1876": "REG_DWORD"
+ "1877": "REG_DWORD_BIG_ENDIAN"
+ "1878": "REG_LINK"
+ "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)"
+ "1880": "REG_RESOURCE_LIST"
+ "1881": "REG_FULL_RESOURCE_DESCRIPTOR"
+ "1882": "REG_RESOURCE_REQUIREMENTS_LIST"
+ "1883": "REG_QWORD"
+ "1904": "New registry value created"
+ "1905": "Existing registry value modified"
+ "1906": "Registry value deleted"
+ "1920": "Sunday"
+ "1921": "Monday"
+ "1922": "Tuesday"
+ "1923": "Wednesday"
+ "1924": "Thursday"
+ "1925": "Friday"
+ "1926": "Saturday"
+ "1936": "TokenElevationTypeDefault (1)"
+ "1937": "TokenElevationTypeFull (2)"
+ "1938": "TokenElevationTypeLimited (3)"
+ "2048": "Account Enabled"
+ "2049": "Home Directory Required' - Disabled"
+ "2050": "Password Not Required' - Disabled"
+ "2051": "Temp Duplicate Account' - Disabled"
+ "2052": "Normal Account' - Disabled"
+ "2053": "MNS Logon Account' - Disabled"
+ "2054": "Interdomain Trust Account' - Disabled"
+ "2055": "Workstation Trust Account' - Disabled"
+ "2056": "Server Trust Account' - Disabled"
+ "2057": "Don't Expire Password' - Disabled"
+ "2058": "Account Unlocked"
+ "2059": "Encrypted Text Password Allowed' - Disabled"
+ "2060": "Smartcard Required' - Disabled"
+ "2061": "Trusted For Delegation' - Disabled"
+ "2062": "Not Delegated' - Disabled"
+ "2063": "Use DES Key Only' - Disabled"
+ "2064": "Don't Require Preauth' - Disabled"
+ "2065": "Password Expired' - Disabled"
+ "2066": "Trusted To Authenticate For Delegation' - Disabled"
+ "2067": "Exclude Authorization Information' - Disabled"
+ "2068": "Undefined UserAccountControl Bit 20' - Disabled"
+ "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled"
+ "2070": "Undefined UserAccountControl Bit 22' - Disabled"
+ "2071": "Undefined UserAccountControl Bit 23' - Disabled"
+ "2072": "Undefined UserAccountControl Bit 24' - Disabled"
+ "2073": "Undefined UserAccountControl Bit 25' - Disabled"
+ "2074": "Undefined UserAccountControl Bit 26' - Disabled"
+ "2075": "Undefined UserAccountControl Bit 27' - Disabled"
+ "2076": "Undefined UserAccountControl Bit 28' - Disabled"
+ "2077": "Undefined UserAccountControl Bit 29' - Disabled"
+ "2078": "Undefined UserAccountControl Bit 30' - Disabled"
+ "2079": "Undefined UserAccountControl Bit 31' - Disabled"
+ "2080": "Account Disabled"
+ "2081": "Home Directory Required' - Enabled"
+ "2082": "Password Not Required' - Enabled"
+ "2083": "Temp Duplicate Account' - Enabled"
+ "2084": "Normal Account' - Enabled"
+ "2085": "MNS Logon Account' - Enabled"
+ "2086": "Interdomain Trust Account' - Enabled"
+ "2087": "Workstation Trust Account' - Enabled"
+ "2088": "Server Trust Account' - Enabled"
+ "2089": "Don't Expire Password' - Enabled"
+ "2090": "Account Locked"
+ "2091": "Encrypted Text Password Allowed' - Enabled"
+ "2092": "Smartcard Required' - Enabled"
+ "2093": "Trusted For Delegation' - Enabled"
+ "2094": "Not Delegated' - Enabled"
+ "2095": "Use DES Key Only' - Enabled"
+ "2096": "Don't Require Preauth' - Enabled"
+ "2097": "Password Expired' - Enabled"
+ "2098": "Trusted To Authenticate For Delegation' - Enabled"
+ "2099": "Exclude Authorization Information' - Enabled"
+ "2100": "Undefined UserAccountControl Bit 20' - Enabled"
+ "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled"
+ "2102": "Undefined UserAccountControl Bit 22' - Enabled"
+ "2103": "Undefined UserAccountControl Bit 23' - Enabled"
+ "2104": "Undefined UserAccountControl Bit 24' - Enabled"
+ "2105": "Undefined UserAccountControl Bit 25' - Enabled"
+ "2106": "Undefined UserAccountControl Bit 26' - Enabled"
+ "2107": "Undefined UserAccountControl Bit 27' - Enabled"
+ "2108": "Undefined UserAccountControl Bit 28' - Enabled"
+ "2109": "Undefined UserAccountControl Bit 29' - Enabled"
+ "2110": "Undefined UserAccountControl Bit 30' - Enabled"
+ "2111": "Undefined UserAccountControl Bit 31' - Enabled"
+ "2304": "An Error occured during Logon."
+ "2305": "The specified user account has expired."
+ "2306": "The NetLogon component is not active."
+ "2307": "Account locked out."
+ "2308": "The user has not been granted the requested logon type at this machine."
+ "2309": "The specified account's password has expired."
+ "2310": "Account currently disabled."
+ "2311": "Account logon time restriction violation."
+ "2312": "User not allowed to logon at this computer."
+ "2313": "Unknown user name or bad password."
+ "2314": "Domain sid inconsistent."
+ "2315": "Smartcard logon is required and was not used."
+ "2432": "Not Available."
+ "2436": "Random number generator failure."
+ "2437": "Random number generation failed FIPS-140 pre-hash check."
+ "2438": "Failed to zero secret data."
+ "2439": "Key failed pair wise consistency check."
+ "2448": "Failed to unprotect persistent cryptographic key."
+ "2449": "Key export checks failed."
+ "2450": "Validation of public key failed."
+ "2451": "Signature verification failed."
+ "2456": "Open key file."
+ "2457": "Delete key file."
+ "2458": "Read persisted key from file."
+ "2459": "Write persisted key to file."
+ "2464": "Export of persistent cryptographic key."
+ "2465": "Import of persistent cryptographic key."
+ "2480": "Open Key."
+ "2481": "Create Key."
+ "2482": "Delete Key."
+ "2483": "Encrypt."
+ "2484": "Decrypt."
+ "2485": "Sign hash."
+ "2486": "Secret agreement."
+ "2487": "Domain settings"
+ "2488": "Local settings"
+ "2489": "Add provider."
+ "2490": "Remove provider."
+ "2491": "Add context."
+ "2492": "Remove context."
+ "2493": "Add function."
+ "2494": "Remove function."
+ "2495": "Add function provider."
+ "2496": "Remove function provider."
+ "2497": "Add function property."
+ "2498": "Remove function property."
+ "2499": "Machine key."
+ "2500": "User key."
+ "2501": "Key Derivation."
+ "4352": "Device Access Bit 0"
+ "4353": "Device Access Bit 1"
+ "4354": "Device Access Bit 2"
+ "4355": "Device Access Bit 3"
+ "4356": "Device Access Bit 4"
+ "4357": "Device Access Bit 5"
+ "4358": "Device Access Bit 6"
+ "4359": "Device Access Bit 7"
+ "4360": "Device Access Bit 8"
+ "4361": "Undefined Access (no effect) Bit 9"
+ "4362": "Undefined Access (no effect) Bit 10"
+ "4363": "Undefined Access (no effect) Bit 11"
+ "4364": "Undefined Access (no effect) Bit 12"
+ "4365": "Undefined Access (no effect) Bit 13"
+ "4366": "Undefined Access (no effect) Bit 14"
+ "4367": "Undefined Access (no effect) Bit 15"
+ "4368": "Query directory"
+ "4369": "Traverse"
+ "4370": "Create object in directory"
+ "4371": "Create sub-directory"
+ "4372": "Undefined Access (no effect) Bit 4"
+ "4373": "Undefined Access (no effect) Bit 5"
+ "4374": "Undefined Access (no effect) Bit 6"
+ "4375": "Undefined Access (no effect) Bit 7"
+ "4376": "Undefined Access (no effect) Bit 8"
+ "4377": "Undefined Access (no effect) Bit 9"
+ "4378": "Undefined Access (no effect) Bit 10"
+ "4379": "Undefined Access (no effect) Bit 11"
+ "4380": "Undefined Access (no effect) Bit 12"
+ "4381": "Undefined Access (no effect) Bit 13"
+ "4382": "Undefined Access (no effect) Bit 14"
+ "4383": "Undefined Access (no effect) Bit 15"
+ "4384": "Query event state"
+ "4385": "Modify event state"
+ "4386": "Undefined Access (no effect) Bit 2"
+ "4387": "Undefined Access (no effect) Bit 3"
+ "4388": "Undefined Access (no effect) Bit 4"
+ "4389": "Undefined Access (no effect) Bit 5"
+ "4390": "Undefined Access (no effect) Bit 6"
+ "4391": "Undefined Access (no effect) Bit 7"
+ "4392": "Undefined Access (no effect) Bit 8"
+ "4393": "Undefined Access (no effect) Bit 9"
+ "4394": "Undefined Access (no effect) Bit 10"
+ "4395": "Undefined Access (no effect) Bit 11"
+ "4396": "Undefined Access (no effect) Bit 12"
+ "4397": "Undefined Access (no effect) Bit 13"
+ "4398": "Undefined Access (no effect) Bit 14"
+ "4399": "Undefined Access (no effect) Bit 15"
+ "4416": "ReadData (or ListDirectory)"
+ "4417": "WriteData (or AddFile)"
+ "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)"
+ "4419": "ReadEA"
+ "4420": "WriteEA"
+ "4421": "Execute/Traverse"
+ "4422": "DeleteChild"
+ "4423": "ReadAttributes"
+ "4424": "WriteAttributes"
+ "4425": "Undefined Access (no effect) Bit 9"
+ "4426": "Undefined Access (no effect) Bit 10"
+ "4427": "Undefined Access (no effect) Bit 11"
+ "4428": "Undefined Access (no effect) Bit 12"
+ "4429": "Undefined Access (no effect) Bit 13"
+ "4430": "Undefined Access (no effect) Bit 14"
+ "4431": "Undefined Access (no effect) Bit 15"
+ "4432": "Query key value"
+ "4433": "Set key value"
+ "4434": "Create sub-key"
+ "4435": "Enumerate sub-keys"
+ "4436": "Notify about changes to keys"
+ "4437": "Create Link"
+ "4438": "Undefined Access (no effect) Bit 6"
+ "4439": "Undefined Access (no effect) Bit 7"
+ "4440": "Enable 64(or 32) bit application to open 64 bit key"
+ "4441": "Enable 64(or 32) bit application to open 32 bit key"
+ "4442": "Undefined Access (no effect) Bit 10"
+ "4443": "Undefined Access (no effect) Bit 11"
+ "4444": "Undefined Access (no effect) Bit 12"
+ "4445": "Undefined Access (no effect) Bit 13"
+ "4446": "Undefined Access (no effect) Bit 14"
+ "4447": "Undefined Access (no effect) Bit 15"
+ "4448": "Query mutant state"
+ "4449": "Undefined Access (no effect) Bit 1"
+ "4450": "Undefined Access (no effect) Bit 2"
+ "4451": "Undefined Access (no effect) Bit 3"
+ "4452": "Undefined Access (no effect) Bit 4"
+ "4453": "Undefined Access (no effect) Bit 5"
+ "4454": "Undefined Access (no effect) Bit 6"
+ "4455": "Undefined Access (no effect) Bit 7"
+ "4456": "Undefined Access (no effect) Bit 8"
+ "4457": "Undefined Access (no effect) Bit 9"
+ "4458": "Undefined Access (no effect) Bit 10"
+ "4459": "Undefined Access (no effect) Bit 11"
+ "4460": "Undefined Access (no effect) Bit 12"
+ "4461": "Undefined Access (no effect) Bit 13"
+ "4462": "Undefined Access (no effect) Bit 14"
+ "4463": "Undefined Access (no effect) Bit 15"
+ "4464": "Communicate using port"
+ "4465": "Undefined Access (no effect) Bit 1"
+ "4466": "Undefined Access (no effect) Bit 2"
+ "4467": "Undefined Access (no effect) Bit 3"
+ "4468": "Undefined Access (no effect) Bit 4"
+ "4469": "Undefined Access (no effect) Bit 5"
+ "4470": "Undefined Access (no effect) Bit 6"
+ "4471": "Undefined Access (no effect) Bit 7"
+ "4472": "Undefined Access (no effect) Bit 8"
+ "4473": "Undefined Access (no effect) Bit 9"
+ "4474": "Undefined Access (no effect) Bit 10"
+ "4475": "Undefined Access (no effect) Bit 11"
+ "4476": "Undefined Access (no effect) Bit 12"
+ "4477": "Undefined Access (no effect) Bit 13"
+ "4478": "Undefined Access (no effect) Bit 14"
+ "4479": "Undefined Access (no effect) Bit 15"
+ "4480": "Force process termination"
+ "4481": "Create new thread in process"
+ "4482": "Set process session ID"
+ "4483": "Perform virtual memory operation"
+ "4484": "Read from process memory"
+ "4485": "Write to process memory"
+ "4486": "Duplicate handle into or out of process"
+ "4487": "Create a subprocess of process"
+ "4488": "Set process quotas"
+ "4489": "Set process information"
+ "4490": "Query process information"
+ "4491": "Set process termination port"
+ "4492": "Undefined Access (no effect) Bit 12"
+ "4493": "Undefined Access (no effect) Bit 13"
+ "4494": "Undefined Access (no effect) Bit 14"
+ "4495": "Undefined Access (no effect) Bit 15"
+ "4496": "Control profile"
+ "4497": "Undefined Access (no effect) Bit 1"
+ "4498": "Undefined Access (no effect) Bit 2"
+ "4499": "Undefined Access (no effect) Bit 3"
+ "4500": "Undefined Access (no effect) Bit 4"
+ "4501": "Undefined Access (no effect) Bit 5"
+ "4502": "Undefined Access (no effect) Bit 6"
+ "4503": "Undefined Access (no effect) Bit 7"
+ "4504": "Undefined Access (no effect) Bit 8"
+ "4505": "Undefined Access (no effect) Bit 9"
+ "4506": "Undefined Access (no effect) Bit 10"
+ "4507": "Undefined Access (no effect) Bit 11"
+ "4508": "Undefined Access (no effect) Bit 12"
+ "4509": "Undefined Access (no effect) Bit 13"
+ "4510": "Undefined Access (no effect) Bit 14"
+ "4511": "Undefined Access (no effect) Bit 15"
+ "4512": "Query section state"
+ "4513": "Map section for write"
+ "4514": "Map section for read"
+ "4515": "Map section for execute"
+ "4516": "Extend size"
+ "4517": "Undefined Access (no effect) Bit 5"
+ "4518": "Undefined Access (no effect) Bit 6"
+ "4519": "Undefined Access (no effect) Bit 7"
+ "4520": "Undefined Access (no effect) Bit 8"
+ "4521": "Undefined Access (no effect) Bit 9"
+ "4522": "Undefined Access (no effect) Bit 10"
+ "4523": "Undefined Access (no effect) Bit 11"
+ "4524": "Undefined Access (no effect) Bit 12"
+ "4525": "Undefined Access (no effect) Bit 13"
+ "4526": "Undefined Access (no effect) Bit 14"
+ "4527": "Undefined Access (no effect) Bit 15"
+ "4528": "Query semaphore state"
+ "4529": "Modify semaphore state"
+ "4530": "Undefined Access (no effect) Bit 2"
+ "4531": "Undefined Access (no effect) Bit 3"
+ "4532": "Undefined Access (no effect) Bit 4"
+ "4533": "Undefined Access (no effect) Bit 5"
+ "4534": "Undefined Access (no effect) Bit 6"
+ "4535": "Undefined Access (no effect) Bit 7"
+ "4536": "Undefined Access (no effect) Bit 8"
+ "4537": "Undefined Access (no effect) Bit 9"
+ "4538": "Undefined Access (no effect) Bit 10"
+ "4539": "Undefined Access (no effect) Bit 11"
+ "4540": "Undefined Access (no effect) Bit 12"
+ "4541": "Undefined Access (no effect) Bit 13"
+ "4542": "Undefined Access (no effect) Bit 14"
+ "4543": "Undefined Access (no effect) Bit 15"
+ "4544": "Use symbolic link"
+ "4545": "Undefined Access (no effect) Bit 1"
+ "4546": "Undefined Access (no effect) Bit 2"
+ "4547": "Undefined Access (no effect) Bit 3"
+ "4548": "Undefined Access (no effect) Bit 4"
+ "4549": "Undefined Access (no effect) Bit 5"
+ "4550": "Undefined Access (no effect) Bit 6"
+ "4551": "Undefined Access (no effect) Bit 7"
+ "4552": "Undefined Access (no effect) Bit 8"
+ "4553": "Undefined Access (no effect) Bit 9"
+ "4554": "Undefined Access (no effect) Bit 10"
+ "4555": "Undefined Access (no effect) Bit 11"
+ "4556": "Undefined Access (no effect) Bit 12"
+ "4557": "Undefined Access (no effect) Bit 13"
+ "4558": "Undefined Access (no effect) Bit 14"
+ "4559": "Undefined Access (no effect) Bit 15"
+ "4560": "Force thread termination"
+ "4561": "Suspend or resume thread"
+ "4562": "Send an alert to thread"
+ "4563": "Get thread context"
+ "4564": "Set thread context"
+ "4565": "Set thread information"
+ "4566": "Query thread information"
+ "4567": "Assign a token to the thread"
+ "4568": "Cause thread to directly impersonate another thread"
+ "4569": "Directly impersonate this thread"
+ "4570": "Undefined Access (no effect) Bit 10"
+ "4571": "Undefined Access (no effect) Bit 11"
+ "4572": "Undefined Access (no effect) Bit 12"
+ "4573": "Undefined Access (no effect) Bit 13"
+ "4574": "Undefined Access (no effect) Bit 14"
+ "4575": "Undefined Access (no effect) Bit 15"
+ "4576": "Query timer state"
+ "4577": "Modify timer state"
+ "4578": "Undefined Access (no effect) Bit 2"
+ "4579": "Undefined Access (no effect) Bit 3"
+ "4580": "Undefined Access (no effect) Bit 4"
+ "4581": "Undefined Access (no effect) Bit 5"
+ "4582": "Undefined Access (no effect) Bit 6"
+ "4584": "Undefined Access (no effect) Bit 8"
+ "4585": "Undefined Access (no effect) Bit 9"
+ "4586": "Undefined Access (no effect) Bit 10"
+ "4587": "Undefined Access (no effect) Bit 11"
+ "4588": "Undefined Access (no effect) Bit 12"
+ "4589": "Undefined Access (no effect) Bit 13"
+ "4590": "Undefined Access (no effect) Bit 14"
+ "4591": "Undefined Access (no effect) Bit 15"
+ "4592": "AssignAsPrimary"
+ "4593": "Duplicate"
+ "4594": "Impersonate"
+ "4595": "Query"
+ "4596": "QuerySource"
+ "4597": "AdjustPrivileges"
+ "4598": "AdjustGroups"
+ "4599": "AdjustDefaultDacl"
+ "4600": "AdjustSessionID"
+ "4601": "Undefined Access (no effect) Bit 9"
+ "4602": "Undefined Access (no effect) Bit 10"
+ "4603": "Undefined Access (no effect) Bit 11"
+ "4604": "Undefined Access (no effect) Bit 12"
+ "4605": "Undefined Access (no effect) Bit 13"
+ "4606": "Undefined Access (no effect) Bit 14"
+ "4607": "Undefined Access (no effect) Bit 15"
+ "4608": "Create instance of object type"
+ "4609": "Undefined Access (no effect) Bit 1"
+ "4610": "Undefined Access (no effect) Bit 2"
+ "4611": "Undefined Access (no effect) Bit 3"
+ "4612": "Undefined Access (no effect) Bit 4"
+ "4613": "Undefined Access (no effect) Bit 5"
+ "4614": "Undefined Access (no effect) Bit 6"
+ "4615": "Undefined Access (no effect) Bit 7"
+ "4616": "Undefined Access (no effect) Bit 8"
+ "4617": "Undefined Access (no effect) Bit 9"
+ "4618": "Undefined Access (no effect) Bit 10"
+ "4619": "Undefined Access (no effect) Bit 11"
+ "4620": "Undefined Access (no effect) Bit 12"
+ "4621": "Undefined Access (no effect) Bit 13"
+ "4622": "Undefined Access (no effect) Bit 14"
+ "4623": "Undefined Access (no effect) Bit 15"
+ "4864": "Query State"
+ "4865": "Modify State"
+ "5120": "Channel read message"
+ "5121": "Channel write message"
+ "5122": "Channel query information"
+ "5123": "Channel set information"
+ "5124": "Undefined Access (no effect) Bit 4"
+ "5125": "Undefined Access (no effect) Bit 5"
+ "5126": "Undefined Access (no effect) Bit 6"
+ "5127": "Undefined Access (no effect) Bit 7"
+ "5128": "Undefined Access (no effect) Bit 8"
+ "5129": "Undefined Access (no effect) Bit 9"
+ "5130": "Undefined Access (no effect) Bit 10"
+ "5131": "Undefined Access (no effect) Bit 11"
+ "5132": "Undefined Access (no effect) Bit 12"
+ "5133": "Undefined Access (no effect) Bit 13"
+ "5134": "Undefined Access (no effect) Bit 14"
+ "5135": "Undefined Access (no effect) Bit 15"
+ "5136": "Assign process"
+ "5137": "Set Attributes"
+ "5138": "Query Attributes"
+ "5139": "Terminate Job"
+ "5140": "Set Security Attributes"
+ "5141": "Undefined Access (no effect) Bit 5"
+ "5142": "Undefined Access (no effect) Bit 6"
+ "5143": "Undefined Access (no effect) Bit 7"
+ "5144": "Undefined Access (no effect) Bit 8"
+ "5145": "Undefined Access (no effect) Bit 9"
+ "5146": "Undefined Access (no effect) Bit 10"
+ "5147": "Undefined Access (no effect) Bit 11"
+ "5148": "Undefined Access (no effect) Bit 12"
+ "5149": "Undefined Access (no effect) Bit 13"
+ "5150": "Undefined Access (no effect) Bit 14"
+ "5151": "Undefined Access (no effect) Bit 15"
+ "5376": "ConnectToServer"
+ "5377": "ShutdownServer"
+ "5378": "InitializeServer"
+ "5379": "CreateDomain"
+ "5380": "EnumerateDomains"
+ "5381": "LookupDomain"
+ "5382": "Undefined Access (no effect) Bit 6"
+ "5383": "Undefined Access (no effect) Bit 7"
+ "5384": "Undefined Access (no effect) Bit 8"
+ "5385": "Undefined Access (no effect) Bit 9"
+ "5386": "Undefined Access (no effect) Bit 10"
+ "5387": "Undefined Access (no effect) Bit 11"
+ "5388": "Undefined Access (no effect) Bit 12"
+ "5389": "Undefined Access (no effect) Bit 13"
+ "5390": "Undefined Access (no effect) Bit 14"
+ "5391": "Undefined Access (no effect) Bit 15"
+ "5392": "ReadPasswordParameters"
+ "5393": "WritePasswordParameters"
+ "5394": "ReadOtherParameters"
+ "5395": "WriteOtherParameters"
+ "5396": "CreateUser"
+ "5397": "CreateGlobalGroup"
+ "5398": "CreateLocalGroup"
+ "5399": "GetLocalGroupMembership"
+ "5400": "ListAccounts"
+ "5401": "LookupIDs"
+ "5402": "AdministerServer"
+ "5403": "Undefined Access (no effect) Bit 11"
+ "5404": "Undefined Access (no effect) Bit 12"
+ "5405": "Undefined Access (no effect) Bit 13"
+ "5406": "Undefined Access (no effect) Bit 14"
+ "5407": "Undefined Access (no effect) Bit 15"
+ "5408": "ReadInformation"
+ "5409": "WriteAccount"
+ "5410": "AddMember"
+ "5411": "RemoveMember"
+ "5412": "ListMembers"
+ "5413": "Undefined Access (no effect) Bit 5"
+ "5414": "Undefined Access (no effect) Bit 6"
+ "5415": "Undefined Access (no effect) Bit 7"
+ "5416": "Undefined Access (no effect) Bit 8"
+ "5417": "Undefined Access (no effect) Bit 9"
+ "5418": "Undefined Access (no effect) Bit 10"
+ "5419": "Undefined Access (no effect) Bit 11"
+ "5420": "Undefined Access (no effect) Bit 12"
+ "5421": "Undefined Access (no effect) Bit 13"
+ "5422": "Undefined Access (no effect) Bit 14"
+ "5423": "Undefined Access (no effect) Bit 15"
+ "5424": "AddMember"
+ "5425": "RemoveMember"
+ "5426": "ListMembers"
+ "5427": "ReadInformation"
+ "5428": "WriteAccount"
+ "5429": "Undefined Access (no effect) Bit 5"
+ "5430": "Undefined Access (no effect) Bit 6"
+ "5431": "Undefined Access (no effect) Bit 7"
+ "5432": "Undefined Access (no effect) Bit 8"
+ "5433": "Undefined Access (no effect) Bit 9"
+ "5434": "Undefined Access (no effect) Bit 10"
+ "5435": "Undefined Access (no effect) Bit 11"
+ "5436": "Undefined Access (no effect) Bit 12"
+ "5437": "Undefined Access (no effect) Bit 13"
+ "5438": "Undefined Access (no effect) Bit 14"
+ "5439": "Undefined Access (no effect) Bit 15"
+ "5440": "ReadGeneralInformation"
+ "5441": "ReadPreferences"
+ "5442": "WritePreferences"
+ "5443": "ReadLogon"
+ "5444": "ReadAccount"
+ "5445": "WriteAccount"
+ "5446": "ChangePassword (with knowledge of old password)"
+ "5447": "SetPassword (without knowledge of old password)"
+ "5448": "ListGroups"
+ "5449": "ReadGroupMembership"
+ "5450": "ChangeGroupMembership"
+ "5451": "Undefined Access (no effect) Bit 11"
+ "5452": "Undefined Access (no effect) Bit 12"
+ "5453": "Undefined Access (no effect) Bit 13"
+ "5454": "Undefined Access (no effect) Bit 14"
+ "5455": "Undefined Access (no effect) Bit 15"
+ "5632": "View non-sensitive policy information"
+ "5633": "View system audit requirements"
+ "5634": "Get sensitive policy information"
+ "5635": "Modify domain trust relationships"
+ "5636": "Create special accounts (for assignment of user rights)"
+ "5637": "Create a secret object"
+ "5638": "Create a privilege"
+ "5639": "Set default quota limits"
+ "5640": "Change system audit requirements"
+ "5641": "Administer audit log attributes"
+ "5642": "Enable/Disable LSA"
+ "5643": "Lookup Names/SIDs"
+ "5648": "Change secret value"
+ "5649": "Query secret value"
+ "5650": "Undefined Access (no effect) Bit 2"
+ "5651": "Undefined Access (no effect) Bit 3"
+ "5652": "Undefined Access (no effect) Bit 4"
+ "5653": "Undefined Access (no effect) Bit 5"
+ "5654": "Undefined Access (no effect) Bit 6"
+ "5655": "Undefined Access (no effect) Bit 7"
+ "5656": "Undefined Access (no effect) Bit 8"
+ "5657": "Undefined Access (no effect) Bit 9"
+ "5658": "Undefined Access (no effect) Bit 10"
+ "5659": "Undefined Access (no effect) Bit 11"
+ "5660": "Undefined Access (no effect) Bit 12"
+ "5661": "Undefined Access (no effect) Bit 13"
+ "5662": "Undefined Access (no effect) Bit 14"
+ "5663": "Undefined Access (no effect) Bit 15"
+ "5664": "Query trusted domain name/SID"
+ "5665": "Retrieve the controllers in the trusted domain"
+ "5666": "Change the controllers in the trusted domain"
+ "5667": "Query the Posix ID offset assigned to the trusted domain"
+ "5668": "Change the Posix ID offset assigned to the trusted domain"
+ "5669": "Undefined Access (no effect) Bit 5"
+ "5670": "Undefined Access (no effect) Bit 6"
+ "5671": "Undefined Access (no effect) Bit 7"
+ "5672": "Undefined Access (no effect) Bit 8"
+ "5673": "Undefined Access (no effect) Bit 9"
+ "5674": "Undefined Access (no effect) Bit 10"
+ "5675": "Undefined Access (no effect) Bit 11"
+ "5676": "Undefined Access (no effect) Bit 12"
+ "5677": "Undefined Access (no effect) Bit 13"
+ "5678": "Undefined Access (no effect) Bit 14"
+ "5679": "Undefined Access (no effect) Bit 15"
+ "5680": "Query account information"
+ "5681": "Change privileges assigned to account"
+ "5682": "Change quotas assigned to account"
+ "5683": "Change logon capabilities assigned to account"
+ "5684": "Change the Posix ID offset assigned to the accounted domain"
+ "5685": "Undefined Access (no effect) Bit 5"
+ "5686": "Undefined Access (no effect) Bit 6"
+ "5687": "Undefined Access (no effect) Bit 7"
+ "5688": "Undefined Access (no effect) Bit 8"
+ "5689": "Undefined Access (no effect) Bit 9"
+ "5690": "Undefined Access (no effect) Bit 10"
+ "5691": "Undefined Access (no effect) Bit 11"
+ "5692": "Undefined Access (no effect) Bit 12"
+ "5693": "Undefined Access (no effect) Bit 13"
+ "5694": "Undefined Access (no effect) Bit 14"
+ "5695": "Undefined Access (no effect) Bit 15"
+ "5696": "KeyedEvent Wait"
+ "5697": "KeyedEvent Wake"
+ "5698": "Undefined Access (no effect) Bit 2"
+ "5699": "Undefined Access (no effect) Bit 3"
+ "5700": "Undefined Access (no effect) Bit 4"
+ "5701": "Undefined Access (no effect) Bit 5"
+ "5702": "Undefined Access (no effect) Bit 6"
+ "5703": "Undefined Access (no effect) Bit 7"
+ "5704": "Undefined Access (no effect) Bit 8"
+ "5705": "Undefined Access (no effect) Bit 9"
+ "5706": "Undefined Access (no effect) Bit 10"
+ "5707": "Undefined Access (no effect) Bit 11"
+ "5708": "Undefined Access (no effect) Bit 12"
+ "5709": "Undefined Access (no effect) Bit 13"
+ "5710": "Undefined Access (no effect) Bit 14"
+ "5711": "Undefined Access (no effect) Bit 15"
+ "6656": "Enumerate desktops"
+ "6657": "Read attributes"
+ "6658": "Access Clipboard"
+ "6659": "Create desktop"
+ "6660": "Write attributes"
+ "6661": "Access global atoms"
+ "6662": "Exit windows"
+ "6663": "Unused Access Flag"
+ "6664": "Include this windowstation in enumerations"
+ "6665": "Read screen"
+ "6672": "Read Objects"
+ "6673": "Create window"
+ "6674": "Create menu"
+ "6675": "Hook control"
+ "6676": "Journal (record)"
+ "6677": "Journal (playback)"
+ "6678": "Include this desktop in enumerations"
+ "6679": "Write objects"
+ "6680": "Switch to this desktop"
+ "6912": "Administer print server"
+ "6913": "Enumerate printers"
+ "6930": "Full Control"
+ "6931": "Print"
+ "6948": "Administer Document"
+ "7168": "Connect to service controller"
+ "7169": "Create a new service"
+ "7170": "Enumerate services"
+ "7171": "Lock service database for exclusive access"
+ "7172": "Query service database lock state"
+ "7173": "Set last-known-good state of service database"
+ "7184": "Query service configuration information"
+ "7185": "Set service configuration information"
+ "7186": "Query status of service"
+ "7187": "Enumerate dependencies of service"
+ "7188": "Start the service"
+ "7189": "Stop the service"
+ "7190": "Pause or continue the service"
+ "7191": "Query information from service"
+ "7192": "Issue service-specific control commands"
+ "7424": "DDE Share Read"
+ "7425": "DDE Share Write"
+ "7426": "DDE Share Initiate Static"
+ "7427": "DDE Share Initiate Link"
+ "7428": "DDE Share Request"
+ "7429": "DDE Share Advise"
+ "7430": "DDE Share Poke"
+ "7431": "DDE Share Execute"
+ "7432": "DDE Share Add Items"
+ "7433": "DDE Share List Items"
+ "7680": "Create Child"
+ "7681": "Delete Child"
+ "7682": "List Contents"
+ "7683": "Write Self"
+ "7684": "Read Property"
+ "7685": "Write Property"
+ "7686": "Delete Tree"
+ "7687": "List Object"
+ "7688": "Control Access"
+ "7689": "Undefined Access (no effect) Bit 9"
+ "7690": "Undefined Access (no effect) Bit 10"
+ "7691": "Undefined Access (no effect) Bit 11"
+ "7692": "Undefined Access (no effect) Bit 12"
+ "7693": "Undefined Access (no effect) Bit 13"
+ "7694": "Undefined Access (no effect) Bit 14"
+ "7695": "Undefined Access (no effect) Bit 15"
+ "7936": "Audit Set System Policy"
+ "7937": "Audit Query System Policy"
+ "7938": "Audit Set Per User Policy"
+ "7939": "Audit Query Per User Policy"
+ "7940": "Audit Enumerate Users"
+ "7941": "Audit Set Options"
+ "7942": "Audit Query Options"
+ "8064": "Port sharing (read)"
+ "8065": "Port sharing (write)"
+ "8096": "Default credentials"
+ "8097": "Credentials manager"
+ "8098": "Fresh credentials"
+ "8192": "Kerberos"
+ "8193": "Preshared key"
+ "8194": "Unknown authentication"
+ "8195": "DES"
+ "8196": "3DES"
+ "8197": "MD5"
+ "8198": "SHA1"
+ "8199": "Local computer"
+ "8200": "Remote computer"
+ "8201": "No state"
+ "8202": "Sent first (SA) payload"
+ "8203": "Sent second (KE) payload"
+ "8204": "Sent third (ID) payload"
+ "8205": "Initiator"
+ "8206": "Responder"
+ "8207": "No state"
+ "8208": "Sent first (SA) payload"
+ "8209": "Sent final payload"
+ "8210": "Complete"
+ "8211": "Unknown"
+ "8212": "Transport"
+ "8213": "Tunnel"
+ "8214": "IKE/AuthIP DoS prevention mode started"
+ "8215": "IKE/AuthIP DoS prevention mode stopped"
+ "8216": "Enabled"
+ "8217": "Not enabled"
+ "8218": "No state"
+ "8219": "Sent first (EM attributes) payload"
+ "8220": "Sent second (SSPI) payload"
+ "8221": "Sent third (hash) payload"
+ "8222": "IKEv1"
+ "8223": "AuthIP"
+ "8224": "Anonymous"
+ "8225": "NTLM V2"
+ "8226": "CGA"
+ "8227": "Certificate"
+ "8228": "SSL"
+ "8229": "None"
+ "8230": "DH group 1"
+ "8231": "DH group 2"
+ "8232": "DH group 14"
+ "8233": "DH group ECP 256"
+ "8234": "DH group ECP 384"
+ "8235": "AES-128"
+ "8236": "AES-192"
+ "8237": "AES-256"
+ "8238": "Certificate ECDSA P256"
+ "8239": "Certificate ECDSA P384"
+ "8240": "SSL ECDSA P256"
+ "8241": "SSL ECDSA P384"
+ "8242": "SHA 256"
+ "8243": "SHA 384"
+ "8244": "IKEv2"
+ "8245": "EAP payload sent"
+ "8246": "Authentication payload sent"
+ "8247": "EAP"
+ "8248": "DH group 24"
+ "8272": "System"
+ "8273": "Logon/Logoff"
+ "8274": "Object Access"
+ "8275": "Privilege Use"
+ "8276": "Detailed Tracking"
+ "8277": "Policy Change"
+ "8278": "Account Management"
+ "8279": "DS Access"
+ "8280": "Account Logon"
+ "8448": "Success removed"
+ "8449": "Success Added"
+ "8450": "Failure removed"
+ "8451": "Failure Added"
+ "8452": "Success include removed"
+ "8453": "Success include added"
+ "8454": "Success exclude removed"
+ "8455": "Success exclude added"
+ "8456": "Failure include removed"
+ "8457": "Failure include added"
+ "8458": "Failure exclude removed"
+ "8459": "Failure exclude added"
+ "12288": "Security State Change"
+ "12289": "Security System Extension"
+ "12290": "System Integrity"
+ "12291": "IPsec Driver"
+ "12292": "Other System Events"
+ "12544": "Logon"
+ "12545": "Logoff"
+ "12546": "Account Lockout"
+ "12547": "IPsec Main Mode"
+ "12548": "Special Logon"
+ "12549": "IPsec Quick Mode"
+ "12550": "IPsec Extended Mode"
+ "12551": "Other Logon/Logoff Events"
+ "12552": "Network Policy Server"
+ "12553": "User / Device Claims"
+ "12554": "Group Membership"
+ "12800": "File System"
+ "12801": "Registry"
+ "12802": "Kernel Object"
+ "12803": "SAM"
+ "12804": "Other Object Access Events"
+ "12805": "Certification Services"
+ "12806": "Application Generated"
+ "12807": "Handle Manipulation"
+ "12808": "File Share"
+ "12809": "Filtering Platform Packet Drop"
+ "12810": "Filtering Platform Connection"
+ "12811": "Detailed File Share"
+ "12812": "Removable Storage"
+ "12813": "Central Policy Staging"
+ "13056": "Sensitive Privilege Use"
+ "13057": "Non Sensitive Privilege Use"
+ "13058": "Other Privilege Use Events"
+ "13312": "Process Creation"
+ "13313": "Process Termination"
+ "13314": "DPAPI Activity"
+ "13315": "RPC Events"
+ "13316": "Plug and Play Events"
+ "13317": "Token Right Adjusted Events"
+ "13568": "Audit Policy Change"
+ "13569": "Authentication Policy Change"
+ "13570": "Authorization Policy Change"
+ "13571": "MPSSVC Rule-Level Policy Change"
+ "13572": "Filtering Platform Policy Change"
+ "13573": "Other Policy Change Events"
+ "13824": "User Account Management"
+ "13825": "Computer Account Management"
+ "13826": "Security Group Management"
+ "13827": "Distribution Group Management"
+ "13828": "Application Group Management"
+ "13829": "Other Account Management Events"
+ "14080": "Directory Service Access"
+ "14081": "Directory Service Changes"
+ "14082": "Directory Service Replication"
+ "14083": "Detailed Directory Service Replication"
+ "14336": "Credential Validation"
+ "14337": "Kerberos Service Ticket Operations"
+ "14338": "Other Account Logon Events"
+ "14339": "Kerberos Authentication Service"
+ "14592": "Inbound"
+ "14593": "Outbound"
+ "14594": "Forward"
+ "14595": "Bidirectional"
+ "14596": "IP Packet"
+ "14597": "Transport"
+ "14598": "Forward"
+ "14599": "Stream"
+ "14600": "Datagram Data"
+ "14601": "ICMP Error"
+ "14602": "MAC 802.3"
+ "14603": "MAC Native"
+ "14604": "vSwitch"
+ "14608": "Resource Assignment"
+ "14609": "Listen"
+ "14610": "Receive/Accept"
+ "14611": "Connect"
+ "14612": "Flow Established"
+ "14614": "Resource Release"
+ "14615": "Endpoint Closure"
+ "14616": "Connect Redirect"
+ "14617": "Bind Redirect"
+ "14624": "Stream Packet"
+ "14640": "ICMP Echo-Request"
+ "14641": "vSwitch Ingress"
+ "14642": "vSwitch Egress"
+ "14672": ""
+ "14673": "[NULL]"
+ "14674": "Value Added"
+ "14675": "Value Deleted"
+ "14676": "Active Directory Domain Services"
+ "14677": "Active Directory Lightweight Directory Services"
+ "14678": "Yes"
+ "14679": "No"
+ "14680": "Value Added With Expiration Time"
+ "14681": "Value Deleted With Expiration Time"
+ "14688": "Value Auto Deleted With Expiration Time"
+ "16384": "Add"
+ "16385": "Delete"
+ "16386": "Boot-time"
+ "16387": "Persistent"
+ "16388": "Not persistent"
+ "16389": "Block"
+ "16390": "Permit"
+ "16391": "Callout"
+ "16392": "MD5"
+ "16393": "SHA-1"
+ "16394": "SHA-256"
+ "16395": "AES-GCM 128"
+ "16396": "AES-GCM 192"
+ "16397": "AES-GCM 256"
+ "16398": "DES"
+ "16399": "3DES"
+ "16400": "AES-128"
+ "16401": "AES-192"
+ "16402": "AES-256"
+ "16403": "Transport"
+ "16404": "Tunnel"
+ "16405": "Responder"
+ "16406": "Initiator"
+ "16407": "AES-GMAC 128"
+ "16408": "AES-GMAC 192"
+ "16409": "AES-GMAC 256"
+ "16416": "AuthNoEncap Transport"
+ "16896": "Enable WMI Account"
+ "16897": "Execute Method"
+ "16898": "Full Write"
+ "16899": "Partial Write"
+ "16900": "Provider Write"
+ "16901": "Remote Access"
+ "16902": "Subscribe"
+ "16903": "Publish"
+ AccessMaskDescriptions:
+ "0x00000001": Create Child
+ "0x00000002": Delete Child
+ "0x00000004": List Contents
+ "0x00000008": SELF
+ "0x00000010": Read Property
+ "0x00000020": Write Property
+ "0x00000040": Delete Treee
+ "0x00000080": List Object
+ "0x00000100": Control Access
+ "0x00010000": DELETE
+ "0x00020000": READ_CONTROL
+ "0x00040000": WRITE_DAC
+ "0x00080000": WRITE_OWNER
+ "0x00100000": SYNCHRONIZE
+ "0x00F00000": STANDARD_RIGHTS_REQUIRED
+ "0x001F0000": STANDARD_RIGHTS_ALL
+ "0x0000FFFF": SPECIFIC_RIGHTS_ALL
+ "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY
+ "0x10000000": ADS_RIGHT_GENERIC_ALL
+ "0x20000000": ADS_RIGHT_GENERIC_EXECUTE
+ "0x40000000": ADS_RIGHT_GENERIC_WRITE
+ "0x80000000": ADS_RIGHT_GENERIC_READ
+ source: |-
+ def split(String s) {
+ def f = new ArrayList();
+ int last = 0;
+ for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {}
+ for (def i = last; i < s.length(); i++) {
+ if (!Character.isWhitespace(s.charAt(i))) {
+ continue;
+ }
+ f.add(s.substring(last, i));
+ for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {}
+ last = i;
+ }
+ f.add(s.substring(last));
+ return f;
+ }
+ if (ctx?.winlog?.event_data?.FailureReason != null) {
+ def code = ctx.winlog.event_data.FailureReason.replace("%%","");
+ if (params.descriptions.containsKey(code)) {
+ if (ctx?.winlog?.logon == null ) {
+ HashMap hm = new HashMap();
+ ctx.winlog.put("logon", hm);
+ }
+ if (ctx?.winlog?.logon?.failure == null) {
+ HashMap hm = new HashMap();
+ ctx.winlog.logon.put("failure", hm);
+ }
+ ctx.winlog.logon.failure.put("reason", params.descriptions[code]);
+ }
+ }
+ if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) {
+ ArrayList results = new ArrayList();
+ for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) {
+ def code = elem.replace("%%","").trim();
+ if (params.descriptions.containsKey(code)) {
+ results.add(params.descriptions[code]);
+ }
+ }
+ if (results.length > 0) {
+ ctx.winlog.event_data.put("AuditPolicyChangesDescription", results);
+ }
+ }
+ if (ctx?.winlog?.event_data?.AccessList != null) {
+ ArrayList results = new ArrayList();
+ for (elem in ctx.winlog.event_data.AccessList.splitOnToken(" ")) {
+ def code = elem.replace("%%","").trim();
+ if (params.descriptions.containsKey(code)) {
+ results.add(params.descriptions[code]);
+ }
+ }
+ if (results.length > 0) {
+ ctx.winlog.event_data.put("AccessListDescription", results);
+ }
+ }
+ if (ctx?.winlog?.event_data?.AccessMask != null) {
+ ArrayList results = new ArrayList();
+ for (elem in split(ctx.winlog.event_data.AccessMask)) {
+ def mask = elem.replace("%%","").trim();
+ if (mask == "") {
+ continue;
+ }
+ Long accessMask = Long.decode(mask);
+ for (entry in params.AccessMaskDescriptions.entrySet()) {
+ Long accessFlag = Long.decode(entry.getKey());
+ if ((accessMask.longValue() & accessFlag.longValue()) == accessFlag.longValue()) {
+ results.add(entry.getValue());
+ }
+ }
+ }
+ if (results.length > 0) {
+ ctx.winlog.event_data.put("_AccessMaskDescription", results);
+ }
+ }
+ - foreach:
+ field: winlog.event_data._AccessMaskDescription
+ processor:
+ append:
+ field: winlog.event_data.AccessMaskDescription
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ ignore_failure: true
+ ignore_failure: true
+ if: ctx.winlog?.event_data?._AccessMaskDescription != null && ctx.winlog.event_data._AccessMaskDescription instanceof List
+ - remove:
+ field: winlog.event_data._AccessMaskDescription
+ ignore_failure: true
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: 4625 and 4776 Set Status and SubStatus
+ description: 4625 and 4776 Set Status and SubStatus
+ # Descriptions of failure status codes.
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
+ params:
+ "0xc000005e": "There are currently no logon servers available to service the logon request."
+ "0xc0000064": "User logon with misspelled or bad user account"
+ "0xc000006a": "User logon with misspelled or bad password"
+ "0xc000006d": "This is either due to a bad username or authentication information"
+ "0xc000006e": "Unknown user name or bad password."
+ "0xc000006f": "User logon outside authorized hours"
+ "0xc0000070": "User logon from unauthorized workstation"
+ "0xc0000071": "User logon with expired password"
+ "0xc0000072": "User logon to account disabled by administrator"
+ "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation."
+ "0xc0000133": "Clocks between DC and other computer too far out of sync"
+ "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine"
+ "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed."
+ "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started."
+ "0xc0000193": "User logon with expired account"
+ "0xc0000224": "User is required to change password at next logon"
+ "0xc0000225": "Evidently a bug in Windows and not a risk"
+ "0xc0000234": "User logon with account locked"
+ "0xc00002ee": "Failure Reason: An Error occurred during Logon"
+ "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine."
+ "0xc0000371": "The local account store does not contain secret material for the specified account"
+ "0x0": "Status OK."
+ source: |-
+ if (ctx?.winlog?.event_data?.Status == null ||
+ ctx?.event?.code == null ||
+ !["4625", "4776"].contains(ctx.event.code)) {
+ return;
+ }
+ if (params.containsKey(ctx.winlog.event_data.Status)) {
+ if (ctx?.winlog?.logon == null ) {
+ HashMap hm = new HashMap();
+ ctx.winlog.put("logon", hm);
+ }
+ if (ctx?.winlog?.logon?.failure == null) {
+ HashMap hm = new HashMap();
+ ctx.winlog.logon.put("failure", hm);
+ }
+ ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]);
+ }
+ if (ctx?.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) {
+ return;
+ }
+ if (ctx?.winlog?.logon == null ) {
+ HashMap hm = new HashMap();
+ ctx.winlog.put("logon", hm);
+ }
+ if (ctx?.winlog?.logon?.failure == null) {
+ HashMap hm = new HashMap();
+ ctx.winlog.logon.put("failure", hm);
+ }
+ ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]);
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Trust Type
+ description: Set Trust Type
+ # Trust Types
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
+ params:
+ "1": "TRUST_TYPE_DOWNLEVEL"
+ "2": "TRUST_TYPE_UPLEVEL"
+ "3": "TRUST_TYPE_MIT"
+ "4": "TRUST_TYPE_DCE"
+ source: |-
+ if (ctx?.winlog?.event_data?.TdoType == null) {
+ return;
+ }
+ if (!params.containsKey(ctx.winlog.event_data.TdoType)) {
+ return;
+ }
+ ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]);
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Trust Direction
+ description: Set Trust Direction
+ # Trust Direction
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
+ params:
+ "0": "TRUST_DIRECTION_DISABLED"
+ "1": "TRUST_DIRECTION_INBOUND"
+ "2": "TRUST_DIRECTION_OUTBOUND"
+ "3": "TRUST_DIRECTION_BIDIRECTIONAL"
+ source: |-
+ if (ctx?.winlog?.event_data?.TdoDirection == null) {
+ return;
+ }
+ if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) {
+ return;
+ }
+ ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]);
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set Trust Attributes
+ description: Set Trust Attributes
+ # Trust Attributes
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
+ params:
+ "0": "UNDEFINED"
+ "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE"
+ "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY"
+ "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN"
+ "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE"
+ "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION"
+ "32": "TRUST_ATTRIBUTE_WITHIN_FOREST"
+ "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL"
+ "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION"
+ "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION"
+ "1024": "TRUST_ATTRIBUTE_PIM_TRUST"
+ source: |-
+ if (ctx?.winlog?.event_data?.TdoAttributes == null) {
+ return;
+ }
+ if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) {
+ return;
+ }
+ ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]);
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Add Session Events
+ description: Add Session Events
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["4778", "4779"].contains(ctx.event.code)) {
+ return;
+ }
+ //AccountName to user.name and related.user
+ if (ctx?.winlog?.event_data?.AccountName != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ ctx.user.put("name", ctx.winlog.event_data.AccountName);
+ if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) {
+ ctx.related.user.add(ctx.winlog.event_data.AccountName);
+ }
+ }
+
+ //AccountDomain to user.domain
+ if (ctx?.winlog?.event_data?.AccountDomain != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ ctx.user.put("domain", ctx.winlog.event_data.AccountDomain);
+ }
+
+ //ClientAddress to source.ip and related.ip
+ if (ctx?.winlog?.event_data?.ClientAddress != null &&
+ ctx.winlog.event_data.ClientAddress != "-") {
+ if (ctx?.source == null) {
+ HashMap hm = new HashMap();
+ ctx.put("source", hm);
+ }
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.ip == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("ip", al);
+ }
+ ctx.source.put("ip", ctx.winlog.event_data.ClientAddress);
+ if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) {
+ ctx.related.ip.add(ctx.winlog.event_data.ClientAddress);
+ }
+ }
+
+ //ClientName to source.domain
+ if (ctx?.winlog?.event_data?.ClientName != null) {
+ if (ctx?.source == null) {
+ HashMap hm = new HashMap();
+ ctx.put("source", hm);
+ }
+ ctx.source.put("domain", ctx.winlog.event_data.ClientName);
+ }
+
+ //LogonID to winlog.logon.id
+ if (ctx?.winlog?.event_data?.LogonID != null) {
+ if (ctx?.winlog?.logon == null) {
+ HashMap hm = new HashMap();
+ ctx.winlog.put("logon", hm);
+ }
+ ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID);
+ }
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Copy Target User
+ description: Copy Target User
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770",
+ "4771", "4776", "4964"].contains(ctx.event.code)) {
+ return;
+ }
+
+ def targetUserId = ctx?.winlog?.event_data?.TargetUserSid;
+ if (targetUserId == null) {
+ targetUserId = ctx?.winlog?.event_data?.TargetSid;
+ }
+
+ //TargetUserSid to user.id or user.target.id
+ if (targetUserId != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.user?.id == null) {
+ ctx.user.put("id", targetUserId);
+ } else {
+ if (ctx?.user?.target == null) {
+ HashMap hm = new HashMap();
+ ctx.user.put("target", hm);
+ }
+ ctx.user.target.put("id", targetUserId);
+ }
+ }
+
+ //TargetUserName to related.user and user.name or user.target.name
+ if (ctx?.winlog?.event_data?.TargetUserName != null) {
+ def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@");
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.user?.name == null) {
+ ctx.user.put("name", tun[0]);
+ } else {
+ if (ctx?.user?.target == null) {
+ HashMap hm = new HashMap();
+ ctx.user.put("target", hm);
+ }
+ ctx.user.target.put("name", tun[0]);
+ }
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ if (!ctx.related.user.contains(tun[0])) {
+ ctx.related.user.add(tun[0]);
+ }
+ }
+ //TargetUserDomain to user.domain or user.target.domain
+ if (ctx?.winlog?.event_data?.TargetDomainName != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.user?.domain == null) {
+ ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName);
+ } else {
+ if (ctx?.user?.target == null){
+ HashMap hm = new HashMap();
+ ctx.user.put("target", hm);
+ }
+ ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName);
+ }
+ }
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Copy MemberName to User and User to Group
+ description: Copy MemberName to User and User to Group
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735",
+ "4737", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751",
+ "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", "4760",
+ "4761", "4762", "4763", "4764", "4799"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.winlog?.event_data?.MemberName != null) {
+ def memberNameParts = ctx.winlog.event_data.MemberName.splitOnToken(",");
+ def memberName = memberNameParts[0].replace("CN=","").replace("cn=","");
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.user?.target == null){
+ HashMap hm = new HashMap();
+ ctx.user.put("target", hm);
+ }
+ ctx.user.target.put("name", memberName);
+ if (!ctx.related.user.contains(memberName)) {
+ ctx.related.user.add(memberName);
+ }
+ if (memberNameParts.length >= 4) {
+ def domain = memberNameParts[3].replace("DC=", "").replace("dc=", "");
+ ctx.user.target.put("domain", domain);
+ }
+ }
+ if (ctx?.winlog?.event_data?.TargetUserSid != null) {
+ if (ctx?.group == null) {
+ HashMap hm = new HashMap();
+ ctx.put("group", hm);
+ }
+ ctx.group.put("id", ctx.winlog.event_data.TargetUserSid);
+ }
+ if (ctx?.winlog?.event_data?.TargetSid != null) {
+ if (ctx?.group == null) {
+ HashMap hm = new HashMap();
+ ctx.put("group", hm);
+ }
+ ctx.group.put("id", ctx.winlog.event_data.TargetSid);
+ }
+ if (ctx?.winlog?.event_data?.TargetUserName != null) {
+ if (ctx?.group == null) {
+ HashMap hm = new HashMap();
+ ctx.put("group", hm);
+ }
+ ctx.group.put("name", ctx.winlog.event_data.TargetUserName);
+ }
+ if (ctx?.winlog?.event_data?.TargetDomainName != null) {
+ if (ctx?.group == null) {
+ HashMap hm = new HashMap();
+ ctx.put("group", hm);
+ }
+ def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", "");
+ ctx.group.put("domain", domain);
+ }
+ if (ctx?.user?.target != null) {
+ if (ctx?.user?.target?.group == null) {
+ HashMap hm = new HashMap();
+ ctx.user.target.put("group", hm);
+ }
+ if (ctx?.group?.id != null) {
+ ctx.user.target.group.put("id", ctx.group.id);
+ }
+ if (ctx?.group?.name != null) {
+ ctx.user.target.group.put("name", ctx.group.name);
+ }
+ if (ctx?.group?.domain != null) {
+ ctx.user.target.group.put("domain", ctx.group.domain);
+ }
+ }
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Copy Target User to Computer Object
+ description: Copy Target User to Computer Object
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["4741", "4742", "4743"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.winlog?.event_data?.TargetSid != null) {
+ if (ctx?.winlog?.computerObject == null) {
+ HashMap hm = new HashMap();
+ ctx.winlog.put("computerObject", hm);
+ }
+ ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid);
+ }
+ if (ctx?.winlog?.event_data?.TargetUserName != null) {
+ if (ctx?.winlog?.computerObject == null) {
+ HashMap hm = new HashMap();
+ ctx.winlog.put("computerObject", hm);
+ }
+ ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName);
+ }
+ if (ctx?.winlog?.event_data?.TargetDomainName != null) {
+ if (ctx?.winlog?.computerObject == null) {
+ HashMap hm = new HashMap();
+ ctx.winlog.put("computerObject", hm);
+ }
+ ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName);
+ }
+
+ - set:
+ field: winlog.logon.id
+ copy_from: winlog.event_data.TargetLogonId
+ ignore_failure: false
+ if: ctx?.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code)
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Copy Subject User from Event Data
+ description: Copy Subject User from Event Data
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["4657", "4670", "4672", "4673", "4674", "4688", "4689", "4697",
+ "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713",
+ "4716", "4717", "4718", "4719", "4720", "4722", "4723", "4724",
+ "4725", "4726", "4727", "4728", "4729", "4730", "4731", "4732",
+ "4733", "4734", "4735", "4737", "4738", "4739", "4740", "4741",
+ "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749",
+ "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757",
+ "4758", "4759", "4760", "4761", "4762", "4763", "4764", "4767",
+ "4781", "4798", "4799", "4817", "4904", "4905", "4907", "4912",
+ "4648", "4797", "5140", "5145", "5379", "5380", "5381", "5382"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.winlog?.event_data?.SubjectUserSid != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid);
+ }
+ if (ctx?.winlog?.event_data?.SubjectUserName != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ ctx.user.put("name", ctx.winlog.event_data.SubjectUserName);
+ if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) {
+ ctx.related.user.add(ctx.winlog.event_data.SubjectUserName);
+ }
+ }
+ if (ctx?.winlog?.event_data?.SubjectDomainName != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName);
+ }
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Copy Target User to Target
+ description: Copy Target User to Target
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["4670", "4720", "4722", "4723", "4724", "4725",
+ "4726", "4738", "4740", "4767", "4798", "4817",
+ "4907", "4797"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.user?.target == null) {
+ HashMap hm = new HashMap();
+ ctx.user.put("target", hm);
+ }
+ def userId = ctx?.winlog?.event_data?.TargetSid;
+ if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId;
+ def userName = ctx?.winlog?.event_data?.TargetUserName;
+ if (userName != null && userName != "" && userName != "-") {
+ ctx.user.target.name = userName;
+ def parts = userName.splitOnToken("@");
+ if (parts.length > 1) {
+ ctx.user.target.name = parts[0];
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ if (!ctx.related.user.contains(ctx.user.target.name)) {
+ ctx.related.user.add(ctx.user.target.name);
+ }
+ }
+ def userDomain = ctx?.winlog?.event_data?.TargetDomainName;
+ if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain;
+ if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target");
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Copy Target User to Effective
+ description: Copy Target User to Effective
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["4648", "4688"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.user?.effective == null) {
+ HashMap hm = new HashMap();
+ ctx.user.put("effective", hm);
+ }
+ def userId = ctx?.winlog?.event_data?.TargetUserSid;
+ if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId;
+ def userName = ctx?.winlog?.event_data?.TargetUserName;
+ if (userName != null && userName != "" && userName != "-") {
+ ctx.user.effective.name = userName;
+ def parts = userName.splitOnToken("@");
+ if (parts.length > 1) {
+ ctx.user.effective.name = parts[0];
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ if (!ctx.related.user.contains(ctx.user.effective.name)) {
+ ctx.related.user.add(ctx.user.effective.name);
+ }
+ }
+ def userDomain = ctx?.winlog?.event_data?.TargetDomainName;
+ if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain;
+ if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective");
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Copy Subject User from user_data
+ description: Copy Subject User from user_data
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["1102"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.winlog?.user_data?.SubjectUserSid != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid);
+ }
+ if (ctx?.winlog?.user_data?.SubjectUserName != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ ctx.user.put("name", ctx.winlog.user_data.SubjectUserName);
+ if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) {
+ ctx.related.user.add(ctx.winlog.user_data.SubjectUserName);
+ }
+ }
+ if (ctx?.winlog?.user_data?.SubjectDomainName != null) {
+ if (ctx?.user == null) {
+ HashMap hm = new HashMap();
+ ctx.put("user", hm);
+ }
+ ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName);
+ }
+
+ - set:
+ field: winlog.logon.id
+ copy_from: winlog.event_data.SubjectLogonId
+ ignore_failure: true
+
+ - set:
+ field: winlog.logon.id
+ copy_from: winlog.user_data.SubjectLogonId
+ ignore_failure: true
+ if: |-
+ ctx?.event?.code != null &&
+ ["1102"].contains(ctx.event.code)
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Rename Common Auth Fields
+ description: Rename Common Auth Fields
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625",
+ "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722",
+ "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730",
+ "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740",
+ "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748",
+ "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756",
+ "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764",
+ "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817",
+ "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.winlog?.event_data?.ProcessId != null) {
+ if (ctx?.process == null) {
+ HashMap hm = new HashMap();
+ ctx.put("process", hm);
+ }
+ if (ctx.winlog.event_data.ProcessId instanceof String) {
+ Long pid = Long.decode(ctx.winlog.event_data.ProcessId);
+ ctx.process.put("pid", pid.longValue());
+ } else {
+ ctx.process.put("pid", ctx.winlog.event_data.ProcessId);
+ }
+ ctx.winlog.event_data.remove("ProcessId");
+ }
+ if (ctx?.winlog?.event_data?.ProcessName != null) {
+ if (ctx?.process == null) {
+ HashMap hm = new HashMap();
+ ctx.put("process", hm);
+ }
+ ctx.process.put("executable", ctx.winlog.event_data.ProcessName);
+ ctx.winlog.event_data.remove("ProcessName");
+ }
+ if (ctx?.winlog?.event_data?.IpAddress != null &&
+ ctx.winlog.event_data.IpAddress != "-") {
+ if (ctx?.source == null) {
+ HashMap hm = new HashMap();
+ ctx.put("source", hm);
+ }
+ ctx.source.put("ip", ctx.winlog.event_data.IpAddress);
+ ctx.winlog.event_data.remove("IpAddress");
+ }
+ if (ctx?.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") {
+ if (ctx?.source == null) {
+ HashMap hm = new HashMap();
+ ctx.put("source", hm);
+ }
+ ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort));
+ ctx.winlog.event_data.remove("IpPort");
+ }
+ if (ctx?.winlog?.event_data?.WorkstationName != null) {
+ if (ctx?.source == null) {
+ HashMap hm = new HashMap();
+ ctx.put("source", hm);
+ }
+ ctx.source.put("domain", ctx.winlog.event_data.WorkstationName);
+ ctx.winlog.event_data.remove("WorkstationName");
+ }
+ if (ctx?.winlog?.event_data?.ClientAddress != null &&
+ ctx.winlog.event_data.ClientAddress != "-") {
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ ctx.related.put("ip", ctx.winlog.event_data.ClientAddress);
+ ctx.winlog.event_data.remove("ClientAddress");
+ }
+ if (ctx?.process?.name == null && ctx?.process?.executable != null) {
+ def parts = ctx.process.executable.splitOnToken("\\");
+ ctx.process.put("name", parts[-1]);
+ }
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Process Event 4688
+ description: Process Event 4688
+ source: |-
+ if (ctx?.event?.code == null ||
+ !["4688"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.winlog?.event_data?.NewProcessId != null) {
+ if (ctx?.process == null) {
+ HashMap hm = new HashMap();
+ ctx.put("process", hm);
+ }
+ if (ctx.winlog.event_data.NewProcessId instanceof String) {
+ Long pid = Long.decode(ctx.winlog.event_data.NewProcessId);
+ ctx.process.put("pid", pid.longValue());
+ } else {
+ ctx.process.put("pid", ctx.winlog.event_data.NewProcessId);
+ }
+ ctx.winlog.event_data.remove("NewProcessId");
+ }
+ if (ctx?.winlog?.event_data?.NewProcessName != null) {
+ if (ctx?.process == null) {
+ HashMap hm = new HashMap();
+ ctx.put("process", hm);
+ }
+ ctx.process.put("executable", ctx.winlog.event_data.NewProcessName);
+ ctx.winlog.event_data.remove("NewProcessName");
+ }
+ if (ctx?.winlog?.event_data?.ParentProcessName != null) {
+ if (ctx?.process == null) {
+ HashMap hm = new HashMap();
+ ctx.put("process", hm);
+ }
+ if (ctx?.process?.parent == null) {
+ HashMap hm = new HashMap();
+ ctx.process.put("parent", hm);
+ }
+ ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName);
+ ctx.winlog.event_data.remove("ParentProcessName");
+ }
+ if (ctx?.process?.name == null && ctx?.process?.executable != null) {
+ def parts = ctx.process.executable.splitOnToken("\\");
+ ctx.process.put("name", parts[-1]);
+ }
+ if (ctx?.process?.parent?.name == null && ctx?.process?.parent?.executable != null) {
+ def parts = ctx.process.parent.executable.splitOnToken("\\");
+ ctx.process.parent.put("name", parts[-1]);
+ }
+ if (ctx?.winlog?.event_data?.ProcessId != null) {
+ if (ctx?.process == null) {
+ HashMap hm = new HashMap();
+ ctx.put("process", hm);
+ }
+ if (ctx?.process?.parent == null) {
+ HashMap hm = new HashMap();
+ ctx.process.put("parent", hm);
+ }
+ if (ctx.winlog.event_data.ProcessId instanceof String) {
+ Long pid = Long.decode(ctx.winlog.event_data.ProcessId);
+ ctx.process.parent.put("pid", pid.longValue());
+ } else {
+ ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId);
+ }
+ }
+ if (ctx?.winlog?.event_data?.CommandLine != null) {
+ int start = 0;
+ int end = 0;
+ boolean in_quote = false;
+ ArrayList al = new ArrayList();
+ for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) {
+ end = i;
+ if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) {
+ if (in_quote) {
+ in_quote = false;
+ } else {
+ in_quote = true;
+ }
+ }
+ if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) {
+ al.add(ctx.winlog.event_data.CommandLine.substring(start, end));
+ start = i + 1;
+ }
+ if (i == ctx.winlog.event_data.CommandLine.length() - 1) {
+ al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1));
+ }
+ }
+ if (ctx?.process == null) {
+ HashMap hm = new HashMap();
+ ctx.put("process", hm);
+ }
+ ctx.process.put("args", al);
+ ctx.process.put("command_line", ctx.winlog.event_data.CommandLine);
+ }
+ if ((ctx?.winlog?.event_data?.TargetUserName != null) &&
+ (!ctx.winlog.event_data.TargetUserName.equals("-"))) {
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) {
+ ctx.related.user.add(ctx.winlog.event_data.TargetUserName);
+ }
+ }
+
+ - append:
+ field: related.user
+ value: '{{winlog.event_data.SubjectUserName}}'
+ allow_duplicates: false
+ if: |-
+ ctx?.event?.code != null &&
+ ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) &&
+ ctx?.winlog?.event_data?.SubjectUserName != null &&
+ ctx.winlog.event_data.SubjectUserName != "-"
+
+ - append:
+ field: related.user
+ value: '{{winlog.event_data.TargetUserName}}'
+ allow_duplicates: false
+ if: |-
+ ctx?.event?.code != null &&
+ ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738",
+ "4740", "4767", "4797", "4798"].contains(ctx.event.code) &&
+ ctx?.winlog?.event_data?.TargetUserName != null &&
+ ctx.winlog.event_data.TargetUserName != "-"
+
+ - split:
+ field: winlog.event_data.PrivilegeList
+ separator: "\\s+"
+ if: |-
+ ctx?.event?.code != null &&
+ ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) &&
+ ctx?.winlog?.event_data?.PrivilegeList != null
+
+ - set:
+ field: user.target.name
+ copy_from: winlog.event_data.OldTargetUserName
+ ignore_empty_value: true
+
+ - set:
+ field: user.changes.name
+ copy_from: winlog.event_data.NewTargetUserName
+ ignore_empty_value: true
+
+ - append:
+ field: related.user
+ value: '{{winlog.event_data.NewTargetUserName}}'
+ allow_duplicates: false
+ if: |-
+ ctx?.winlog?.event_data?.NewTargetUserName != null &&
+ ctx.winlog.event_data.NewTargetUserName != "-"
+
+ - append:
+ field: related.user
+ value: '{{winlog.event_data.OldTargetUserName}}'
+ allow_duplicates: false
+ if: |-
+ ctx?.winlog?.event_data?.OldTargetUserName != null &&
+ ctx.winlog.event_data.OldTargetUserName != "-"
+
+
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Object Policy Change and SidListDesc
+ description: Object Policy Change and SidListDesc
+ # SDDL Ace Types
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715
+ # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
+ # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070
+ # SDDL Permissions
+ # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715
+ # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070
+ # Known SIDs
+ # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems
+ # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings
+ # Domain-specific SIDs
+ # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems
+ # Object Permission Flags
+ # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b
+ params:
+ AccountSIDDescription:
+ AO: Account operators
+ RU: Alias to allow previous Windows 2000
+ AN: Anonymous logon
+ AU: Authenticated users
+ BA: Built-in administrators
+ BG: Built-in guests
+ BO: Backup operators
+ BU: Built-in users
+ CA: Certificate server administrators
+ CG: Creator group
+ CO: Creator owner
+ DA: Domain administrators
+ DC: Domain computers
+ DD: Domain controllers
+ DG: Domain guests
+ DU: Domain users
+ EA: Enterprise administrators
+ ED: Enterprise domain controllers
+ WD: Everyone
+ PA: Group Policy administrators
+ IU: Interactively logged-on user
+ LA: Local administrator
+ LG: Local guest
+ LS: Local service account
+ SY: Local system
+ NU: Network logon user
+ NO: Network configuration operators
+ NS: Network service account
+ PO: Printer operators
+ PS: Personal self
+ PU: Power users
+ RS: RAS servers group
+ RD: Terminal server users
+ RE: Replicator
+ RC: Restricted code
+ SA: Schema administrators
+ SO: Server operators
+ SU: Service logon user
+ S-1-0: Null Authority
+ S-1-0-0: Nobody
+ S-1-1: World Authority
+ S-1-1-0: Everyone
+ S-1-16-0: Untrusted Mandatory Level
+ S-1-16-12288: High Mandatory Level
+ S-1-16-16384: System Mandatory Level
+ S-1-16-20480: Protected Process Mandatory Level
+ S-1-16-28672: Secure Process Mandatory Level
+ S-1-16-4096: Low Mandatory Level
+ S-1-16-8192: Medium Mandatory Level
+ S-1-16-8448: Medium Plus Mandatory Level
+ S-1-2: Local Authority
+ S-1-2-0: Local
+ S-1-2-1: Console Logon
+ S-1-3: Creator Authority
+ S-1-3-0: Creator Owner
+ S-1-3-1: Creator Group
+ S-1-3-2: Creator Owner Server
+ S-1-3-3: Creator Group Server
+ S-1-3-4: Owner Rights
+ S-1-4: Non-unique Authority
+ S-1-5: NT Authority
+ S-1-5-1: Dialup
+ S-1-5-10: Principal Self
+ S-1-5-11: Authenticated Users
+ S-1-5-12: Restricted Code
+ S-1-5-13: Terminal Server Users
+ S-1-5-14: Remote Interactive Logon
+ S-1-5-15: This Organization
+ S-1-5-17: This Organization
+ S-1-5-18: Local System
+ S-1-5-19: NT Authority
+ S-1-5-2: Network
+ S-1-5-20: NT Authority
+ S-1-5-3: Batch
+ S-1-5-32-544: Administrators
+ S-1-5-32-545: Users
+ S-1-5-32-546: Guests
+ S-1-5-32-547: Power Users
+ S-1-5-32-548: Account Operators
+ S-1-5-32-549: Server Operators
+ S-1-5-32-550: Print Operators
+ S-1-5-32-551: Backup Operators
+ S-1-5-32-552: Replicators
+ S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access
+ S-1-5-32-555: Builtin\Remote Desktop Users
+ S-1-5-32-556: Builtin\Network Configuration Operators
+ S-1-5-32-557: Builtin\Incoming Forest Trust Builders
+ S-1-5-32-558: Builtin\Performance Monitor Users
+ S-1-5-32-559: Builtin\Performance Log Users
+ S-1-5-32-560: Builtin\Windows Authorization Access Group
+ S-1-5-32-561: Builtin\Terminal Server License Servers
+ S-1-5-32-562: Builtin\Distributed COM Users
+ S-1-5-32-569: Builtin\Cryptographic Operators
+ S-1-5-32-573: Builtin\Event Log Readers
+ S-1-5-32-574: Builtin\Certificate Service DCOM Access
+ S-1-5-32-575: Builtin\RDS Remote Access Servers
+ S-1-5-32-576: Builtin\RDS Endpoint Servers
+ S-1-5-32-577: Builtin\RDS Management Servers
+ S-1-5-32-578: Builtin\Hyper-V Administrators
+ S-1-5-32-579: Builtin\Access Control Assistance Operators
+ S-1-5-32-580: Builtin\Remote Management Users
+ S-1-5-32-582: Storage Replica Administrators
+ S-1-5-4: Interactive
+ S-1-5-5-X-Y: Logon Session
+ S-1-5-6: Service
+ S-1-5-64-10: NTLM Authentication
+ S-1-5-64-14: SChannel Authentication
+ S-1-5-64-21: Digest Authentication
+ S-1-5-7: Anonymous
+ S-1-5-8: Proxy
+ S-1-5-80: NT Service
+ S-1-5-80-0: All Services
+ S-1-5-83-0: NT Virtual Machine\Virtual Machines
+ S-1-5-9: Enterprise Domain Controllers
+ S-1-5-90-0: Windows Manager\Windows Manager Group
+ AceTypes:
+ A: Access Allowed
+ D: Access Denied
+ OA: Object Access Allowed
+ OD: Object Access Denied
+ AU: System Audit
+ AL: System Alarm
+ OU: System Object Audit
+ OL: System Object Alarm
+ ML: System Mandatory Label
+ SP: Central Policy ID
+ DomainSpecificSID:
+ "498": Enterprise Read-only Domain Controllers
+ "500": Administrator
+ "501": Guest
+ "502": KRBTGT
+ "512": Domain Admins
+ "513": Domain Users
+ "514": Domain Guests
+ "515": Domain Computers
+ "516": Domain Controllers
+ "517": Cert Publishers
+ "518": Schema Admins
+ "519": Enterprise Admins
+ "520": Group Policy Creator Owners
+ "521": Read-only Domain Controllers
+ "522": Cloneable Domain Controllers
+ "526": Key Admins
+ "527": Enterprise Key Admins
+ "553": RAS and IAS Servers
+ "571": Allowed RODC Password Replication Group
+ "572": Denied RODC Password Replication Group
+ PermissionDescription:
+ GA: Generic All
+ GR: Generic Read
+ GW: Generic Write
+ GX: Generic Execute
+ RC: Read Permissions
+ SD: Delete
+ WD: Modify Permissions
+ WO: Modify Owner
+ RP: Read All Properties
+ WP: Write All Properties
+ CC: Create All Child Objects
+ DC: Delete All Child Objects
+ LC: List Contents
+ SW: All Validated
+ LO: List Object
+ DT: Delete Subtree
+ CR: All Extended Rights
+ FA: File All Access
+ FR: File Generic Read
+ FX: FILE GENERIC EXECUTE
+ FW: FILE GENERIC WRITE
+ KA: KEY ALL ACCESS
+ KR: KEY READ
+ KW: KEY WRITE
+ KX: KEY EXECUTE
+ PermsFlags:
+ "0x80000000": 'Generic Read'
+ "0x4000000": 'Generic Write'
+ "0x20000000": 'Generic Execute'
+ "0x10000000": 'Generic All'
+ "0x02000000": 'Maximum Allowed'
+ "0x01000000": 'Access System Security'
+ "0x00100000": 'Syncronize'
+ "0x00080000": 'Write Owner'
+ "0x00040000": 'Write DACL'
+ "0x00020000": 'Read Control'
+ "0x00010000": 'Delete'
+ source: |-
+ ArrayList translatePermissionMask(def mask, def params) {
+ ArrayList al = new ArrayList();
+ Long permCode = Long.decode(mask);
+ for (entry in params.PermsFlags.entrySet()) {
+ Long permFlag = Long.decode(entry.getKey());
+ if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) {
+ al.add(entry.getValue());
+ }
+ }
+ if (al.length == 0) {
+ al.add(mask);
+ }
+ return al;
+ }
+
+ HashMap translateACL(def dacl, def params) {
+ def aceArray = dacl.splitOnToken(";");
+ HashMap hm = new HashMap();
+
+ if (aceArray.length >= 6 ) {
+ hm.put("grantee", translateSID(aceArray[5], params));
+ }
+
+ if (aceArray.length >= 1) {
+ hm.put("type", params.AceTypes[aceArray[0]]);
+ }
+
+ if (aceArray.length >= 3) {
+ if (aceArray[2].startsWith("0x")) {
+ hm.put("perms", translatePermissionMask(aceArray[2], params));
+ } else {
+ ArrayList al = new ArrayList();
+ Pattern permPattern = /.{1,2}/;
+ Matcher permMatcher = permPattern.matcher(aceArray[2]);
+ while (permMatcher.find()) {
+ al.add(params.PermissionDescription[permMatcher.group(0)]);
+ }
+ hm.put("perms", al);
+ }
+ }
+ return hm;
+ }
+ String translateSID(def sid, def params) {
+ if (!params.AccountSIDDescription.containsKey(sid)) {
+ if (sid.startsWith("S-1-5-21")) {
+ Pattern uidPattern = /[0-9]{1,5}$/;
+ Matcher uidMatcher = uidPattern.matcher(sid);
+ if (uidMatcher.find()) {
+ return params.DomainSpecificSID[uidMatcher.group(0)];
+ }
+ return sid;
+ }
+ return sid;
+ }
+ return params.AccountSIDDescription[sid];
+ }
+
+
+ void enrichSDDL(def sddlStr, def Sd, def params, def ctx) {
+ Pattern sdOwnerPattern = /^O\:[A-Z]{2}/;
+ Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr);
+ if (sdOwnerMatcher.find()) {
+ ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params));
+ }
+
+ Pattern sdGroupPattern = /^G\:[A-Z]{2}/;
+ Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr);
+ if (sdGroupMatcher.find()) {
+ ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params));
+ }
+
+ Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/;
+ Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr);
+ if (sdDaclMatcher.find()) {
+ Pattern dacListPattern = /\([^*\)]*\)/;
+ Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1));
+ for (def i = 0; dacListMatcher.find(); i++) {
+ def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params);
+ ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")");
+ if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) {
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ if (!ctx.related.user.contains(newDacl['grantee'])) {
+ ctx.related.user.add(newDacl['grantee']);
+ }
+ }
+ }
+ }
+
+ Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/;
+ Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr);
+ if (sdSaclMatcher.find()) {
+ Pattern sacListPattern = /\([^*\)]*\)/;
+ Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0));
+ for (def i = 0; sacListMatcher.find(); i++) {
+ def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params);
+ ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")");
+ if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) {
+ if (ctx?.related == null) {
+ HashMap hm = new HashMap();
+ ctx.put("related", hm);
+ }
+ if (ctx?.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ if (!ctx.related.user.contains(newSacl['grantee'])) {
+ ctx.related.user.add(newSacl['grantee']);
+ }
+ }
+ }
+ }
+ }
+
+ void splitSidList(def sids, def params, def ctx) {
+ ArrayList al = new ArrayList();
+ def sidList = sids.splitOnToken(" ");
+ ctx.winlog.event_data.put("SidList", sidList);
+ for (def i = 0; i < sidList.length; i++ ) {
+ al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params));
+ }
+ ctx.winlog.event_data.put("SidListDesc", al);
+ }
+
+ if (ctx?.event?.code == null ||
+ !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx?.winlog?.event_data?.OldSd != null) {
+ enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx);
+ }
+ if (ctx?.winlog?.event_data?.NewSd != null) {
+ enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx);
+ }
+ if (ctx?.winlog?.event_data?.SidList != null) {
+ splitSidList(ctx.winlog.event_data.SidList, params, ctx);
+ }
+
+ - set:
+ field: file.name
+ copy_from: winlog.event_data.RelativeTargetName
+ if: |-
+ ctx.event?.code != null &&
+ ["5140", "5145"].contains(ctx.event.code) &&
+ ctx.winlog?.event_data?.RelativeTargetName != null &&
+ ctx.winlog?.event_data?.RelativeTargetName != ""
+ - set:
+ field: file.directory
+ copy_from: winlog.event_data.ShareLocalPath
+ if: |-
+ ctx.event?.code != null &&
+ ["5140", "5145"].contains(ctx.event.code) &&
+ ctx.winlog?.event_data?.ShareLocalPath != null &&
+ ctx.winlog?.event_data?.ShareLocalPath != ""
+ - set:
+ field: file.path
+ value: "{{file.directory}}\\{{file.name}}"
+ if: ctx.file?.name != null && ctx.file?.directory != null
+ - set:
+ field: file.directory
+ copy_from: winlog.event_data.ShareLocalPath
+ if: |-
+ ctx.event?.code != null &&
+ ["5140", "5145"].contains(ctx.event.code) &&
+ ctx.winlog?.event_data?.ShareLocalPath != null &&
+ ctx.winlog?.event_data?.ShareLocalPath != ""
+ - set:
+ field: file.target_path
+ value: "{{winlog.event_data.ShareName}}\\{{file.name}}"
+ if: |-
+ ctx.event?.code != null &&
+ ["5140", "5145"].contains(ctx.event.code) &&
+ ctx.winlog?.event_data?.ShareName != null &&
+ ctx.winlog?.event_data?.ShareName != "" &&
+ ctx.file?.name != null
+ - script:
+ description: Adds file information.
+ lang: painless
+ if: ctx.file?.name != null
+ source: |-
+ def extIdx = ctx.file.name.lastIndexOf(".");
+ if (extIdx > -1) {
+ ctx.file.extension = ctx.file.name.substring(extIdx+1);
+ }
+on_failure:
+ - set:
+ field: error.message
+ value: |-
+ Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
diff --git a/test/packages/parallel/system/data_stream/security/fields/agent.yml b/test/packages/parallel/system/data_stream/security/fields/agent.yml
new file mode 100644
index 000000000..da4e652c5
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/test/packages/parallel/system/data_stream/security/fields/base-fields.yml b/test/packages/parallel/system/data_stream/security/fields/base-fields.yml
new file mode 100644
index 000000000..8c57a260b
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/fields/base-fields.yml
@@ -0,0 +1,26 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+ value: logs
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: system
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: system.security
+- name: tags
+ description: List of keywords used to tag each event.
+ example: '["production", "env2"]'
+ ignore_above: 1024
+ type: keyword
diff --git a/test/packages/parallel/system/data_stream/security/fields/beats.yml b/test/packages/parallel/system/data_stream/security/fields/beats.yml
new file mode 100644
index 000000000..3c48f1f22
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/fields/beats.yml
@@ -0,0 +1,3 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
diff --git a/test/packages/parallel/system/data_stream/security/fields/ecs.yml b/test/packages/parallel/system/data_stream/security/fields/ecs.yml
new file mode 100644
index 000000000..db2b6257c
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/fields/ecs.yml
@@ -0,0 +1,140 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: event.action
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.code
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.ingested
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.module
+- external: ecs
+ name: event.original
+- external: ecs
+ name: event.outcome
+- external: ecs
+ name: event.provider
+- external: ecs
+ name: event.sequence
+- external: ecs
+ name: event.type
+- external: ecs
+ name: group.domain
+- external: ecs
+ name: group.id
+- external: ecs
+ name: group.name
+- external: ecs
+ name: host.name
+- external: ecs
+ name: log.file.path
+- external: ecs
+ name: log.level
+- external: ecs
+ name: message
+- external: ecs
+ name: process.args
+- external: ecs
+ name: process.args_count
+- external: ecs
+ name: process.command_line
+- external: ecs
+ name: process.entity_id
+- external: ecs
+ name: process.executable
+- external: ecs
+ name: process.name
+- external: ecs
+ name: process.parent.executable
+- external: ecs
+ name: process.parent.name
+- external: ecs
+ name: process.parent.pid
+- external: ecs
+ name: process.pid
+- external: ecs
+ name: process.title
+- external: ecs
+ name: related.hash
+- external: ecs
+ name: related.hosts
+- external: ecs
+ name: related.ip
+- external: ecs
+ name: related.user
+- external: ecs
+ name: service.name
+- external: ecs
+ name: service.type
+- external: ecs
+ name: source.domain
+- external: ecs
+ name: source.as.number
+- external: ecs
+ name: source.as.organization.name
+- external: ecs
+ name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_name
+- external: ecs
+ name: source.geo.country_iso_code
+- external: ecs
+ name: source.geo.country_name
+- external: ecs
+ name: source.geo.location
+- external: ecs
+ name: source.geo.name
+- external: ecs
+ name: source.geo.region_iso_code
+- external: ecs
+ name: source.geo.region_name
+- external: ecs
+ name: source.ip
+- external: ecs
+ name: source.port
+- external: ecs
+ name: user.domain
+- external: ecs
+ name: user.id
+- external: ecs
+ name: user.name
+- external: ecs
+ name: user.effective.domain
+- external: ecs
+ name: user.effective.id
+- external: ecs
+ name: user.effective.name
+- external: ecs
+ name: user.target.group.domain
+- external: ecs
+ name: user.target.group.id
+- external: ecs
+ name: user.target.group.name
+- external: ecs
+ name: user.target.name
+- external: ecs
+ name: user.target.domain
+- external: ecs
+ name: user.target.id
+- external: ecs
+ name: user.changes.name
+- external: ecs
+ name: file.name
+- external: ecs
+ name: file.path
+- external: ecs
+ name: file.target_path
+- external: ecs
+ name: file.directory
+- external: ecs
+ name: file.extension
+- external: ecs
+ name: error.code
+- external: ecs
+ name: error.message
diff --git a/test/packages/parallel/system/data_stream/security/fields/fields.yml b/test/packages/parallel/system/data_stream/security/fields/fields.yml
new file mode 100644
index 000000000..48deb4f52
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/fields/fields.yml
@@ -0,0 +1,30 @@
+- name: winlog.logon
+ type: group
+ description: Data related to a Windows logon.
+ fields:
+ - name: type
+ type: keyword
+ description: >
+ Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module.
+
+ example: RemoteInteractive
+ - name: id
+ type: keyword
+ description: >
+ Logon ID that can be used to associate this logon with other events related to the same logon session.
+
+ - name: failure.reason
+ type: keyword
+ description: >
+ The reason the logon failed.
+
+ - name: failure.status
+ type: keyword
+ description: >
+ The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field.
+
+ - name: failure.sub_status
+ type: keyword
+ description: >
+ Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field.
+
diff --git a/test/packages/parallel/system/data_stream/security/fields/winlog.yml b/test/packages/parallel/system/data_stream/security/fields/winlog.yml
new file mode 100644
index 000000000..e2fe86136
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/fields/winlog.yml
@@ -0,0 +1,662 @@
+- name: winlog
+ type: group
+ description: >
+ All fields specific to the Windows Event Log are defined here.
+
+ fields:
+ - name: api
+ required: true
+ type: keyword
+ description: >
+ The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API.
+
+ The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
+
+ - name: activity_id
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
+
+ - name: channel
+ type: keyword
+ required: true
+ description: >
+ The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
+
+ - name: computer_name
+ type: keyword
+ required: true
+ description: >
+ The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
+
+ - name: computerObject
+ type: group
+ description: >
+ computer Object data
+
+ fields:
+ - name: domain
+ type: keyword
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: event_data
+ type: object
+ object_type: keyword
+ required: false
+ description: >
+ The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
+
+ - name: event_data
+ type: group
+ description: >
+ This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
+
+ fields:
+ - name: AccessGranted
+ type: keyword
+ - name: AccessList
+ type: keyword
+ - name: AccessListDescription
+ type: keyword
+ - name: AccessMask
+ type: keyword
+ - name: AccessMaskDescription
+ type: keyword
+ - name: AccessReason
+ type: keyword
+ - name: AccessRemoved
+ type: keyword
+ - name: AccountDomain
+ type: keyword
+ - name: AccountExpires
+ type: keyword
+ - name: AccountName
+ type: keyword
+ - name: AllowedToDelegateTo
+ type: keyword
+ - name: AuditPolicyChanges
+ type: keyword
+ - name: AuditPolicyChangesDescription
+ type: keyword
+ - name: AuditSourceName
+ type: keyword
+ - name: AuthenticationPackageName
+ type: keyword
+ - name: Binary
+ type: keyword
+ - name: BitlockerUserInputTime
+ type: keyword
+ - name: BootMode
+ type: keyword
+ - name: BootType
+ type: keyword
+ - name: BuildVersion
+ type: keyword
+ - name: CallerProcessId
+ type: keyword
+ - name: CallerProcessName
+ type: keyword
+ - name: Category
+ type: keyword
+ - name: CategoryId
+ type: keyword
+ - name: ClientAddress
+ type: keyword
+ - name: ClientName
+ type: keyword
+ - name: ClientProcessId
+ type: keyword
+ - name: CommandLine
+ type: keyword
+ - name: Company
+ type: keyword
+ - name: ComputerAccountChange
+ type: keyword
+ - name: CorruptionActionState
+ type: keyword
+ - name: CountOfCredentialsReturned
+ type: keyword
+ - name: CrashOnAuditFailValue
+ type: keyword
+ - name: CreationUtcTime
+ type: keyword
+ - name: Description
+ type: keyword
+ - name: Detail
+ type: keyword
+ - name: DeviceName
+ type: keyword
+ - name: DeviceNameLength
+ type: keyword
+ - name: DeviceTime
+ type: keyword
+ - name: DeviceVersionMajor
+ type: keyword
+ - name: DeviceVersionMinor
+ type: keyword
+ - name: DisplayName
+ type: keyword
+ - name: DnsHostName
+ type: keyword
+ - name: DomainBehaviorVersion
+ type: keyword
+ - name: DomainName
+ type: keyword
+ - name: DomainPolicyChanged
+ type: keyword
+ - name: DomainSid
+ type: keyword
+ - name: DriveName
+ type: keyword
+ - name: DriverName
+ type: keyword
+ - name: DriverNameLength
+ type: keyword
+ - name: Dummy
+ type: keyword
+ - name: DwordVal
+ type: keyword
+ - name: EntryCount
+ type: keyword
+ - name: EventSourceId
+ type: keyword
+ - name: ExtraInfo
+ type: keyword
+ - name: FailureName
+ type: keyword
+ - name: FailureNameLength
+ type: keyword
+ - name: FailureReason
+ type: keyword
+ - name: FileVersion
+ type: keyword
+ - name: FinalStatus
+ type: keyword
+ - name: Flags
+ type: keyword
+ - name: Group
+ type: keyword
+ - name: GroupTypeChange
+ type: keyword
+ - name: HandleId
+ type: keyword
+ - name: HomeDirectory
+ type: keyword
+ - name: HomePath
+ type: keyword
+ - name: Identity
+ type: keyword
+ - name: IdleImplementation
+ type: keyword
+ - name: IdleStateCount
+ type: keyword
+ - name: ImpersonationLevel
+ type: keyword
+ - name: IntegrityLevel
+ type: keyword
+ - name: IpAddress
+ type: keyword
+ - name: IpPort
+ type: keyword
+ - name: KerberosPolicyChange
+ type: keyword
+ - name: KeyLength
+ type: keyword
+ - name: LastBootGood
+ type: keyword
+ - name: LastShutdownGood
+ type: keyword
+ - name: LmPackageName
+ type: keyword
+ - name: LogonGuid
+ type: keyword
+ - name: LogonHours
+ type: keyword
+ - name: LogonId
+ type: keyword
+ - name: LogonID
+ type: keyword
+ - name: LogonProcessName
+ type: keyword
+ - name: LogonType
+ type: keyword
+ - name: MachineAccountQuota
+ type: keyword
+ - name: MajorVersion
+ type: keyword
+ - name: MandatoryLabel
+ type: keyword
+ - name: MaximumPerformancePercent
+ type: keyword
+ - name: MemberName
+ type: keyword
+ - name: MemberSid
+ type: keyword
+ - name: MinimumPerformancePercent
+ type: keyword
+ - name: MinimumThrottlePercent
+ type: keyword
+ - name: MinorVersion
+ type: keyword
+ - name: MixedDomainMode
+ type: keyword
+ - name: NewProcessId
+ type: keyword
+ - name: NewProcessName
+ type: keyword
+ - name: NewSchemeGuid
+ type: keyword
+ - name: NewSd
+ type: keyword
+ - name: NewSdDacl0
+ type: keyword
+ - name: NewSdDacl1
+ type: keyword
+ - name: NewSdDacl2
+ type: keyword
+ - name: NewSdSacl0
+ type: keyword
+ - name: NewSdSacl1
+ type: keyword
+ - name: NewSdSacl2
+ type: keyword
+ - name: NewTargetUserName
+ type: keyword
+ - name: NewTime
+ type: keyword
+ - name: NewUACList
+ type: keyword
+ - name: NewUacValue
+ type: keyword
+ - name: NominalFrequency
+ type: keyword
+ - name: Number
+ type: keyword
+ - name: ObjectName
+ type: keyword
+ - name: ObjectServer
+ type: keyword
+ - name: ObjectType
+ type: keyword
+ - name: OemInformation
+ type: keyword
+ - name: OldSchemeGuid
+ type: keyword
+ - name: OldSd
+ type: keyword
+ - name: OldSdDacl0
+ type: keyword
+ - name: OldSdDacl1
+ type: keyword
+ - name: OldSdDacl2
+ type: keyword
+ - name: OldSdSacl0
+ type: keyword
+ - name: OldSdSacl1
+ type: keyword
+ - name: OldSdSacl2
+ type: keyword
+ - name: OldTargetUserName
+ type: keyword
+ - name: OldTime
+ type: keyword
+ - name: OldUacValue
+ type: keyword
+ - name: OriginalFileName
+ type: keyword
+ - name: PackageName
+ type: keyword
+ - name: PasswordLastSet
+ type: keyword
+ - name: PasswordHistoryLength
+ type: keyword
+ - name: Path
+ type: keyword
+ - name: ParentProcessName
+ type: keyword
+ - name: PerformanceImplementation
+ type: keyword
+ - name: PreviousCreationUtcTime
+ type: keyword
+ - name: PreAuthType
+ type: keyword
+ - name: PreviousTime
+ type: keyword
+ - name: PrimaryGroupId
+ type: keyword
+ - name: PrivilegeList
+ type: keyword
+ - name: ProcessCreationTime
+ type: keyword
+ - name: ProcessId
+ type: keyword
+ - name: ProcessName
+ type: keyword
+ - name: ProcessPath
+ type: keyword
+ - name: ProcessPid
+ type: keyword
+ - name: Product
+ type: keyword
+ - name: ProfilePath
+ type: keyword
+ - name: PuaCount
+ type: keyword
+ - name: PuaPolicyId
+ type: keyword
+ - name: QfeVersion
+ type: keyword
+ - name: ReadOperation
+ type: keyword
+ - name: Reason
+ type: keyword
+ - name: RelativeTargetName
+ type: keyword
+ - name: Resource
+ type: keyword
+ - name: ResourceAttributes
+ type: keyword
+ - name: ReturnCode
+ type: keyword
+ - name: SamAccountName
+ type: keyword
+ - name: Schema
+ type: keyword
+ - name: SchemaFriendlyName
+ type: keyword
+ - name: SchemaVersion
+ type: keyword
+ - name: ScriptPath
+ type: keyword
+ - name: SearchString
+ type: keyword
+ - name: SidHistory
+ type: keyword
+ - name: ScriptBlockText
+ type: keyword
+ - name: Service
+ type: keyword
+ - name: ServiceAccount
+ type: keyword
+ - name: ServiceFileName
+ type: keyword
+ - name: ServiceName
+ type: keyword
+ - name: ServicePrincipalNames
+ type: keyword
+ - name: ServiceSid
+ type: keyword
+ - name: ServiceStartType
+ type: keyword
+ - name: ServiceType
+ type: keyword
+ - name: ServiceVersion
+ type: keyword
+ - name: SessionName
+ type: keyword
+ - name: ShareLocalPath
+ type: keyword
+ - name: ShareName
+ type: keyword
+ - name: ShutdownActionType
+ type: keyword
+ - name: ShutdownEventCode
+ type: keyword
+ - name: ShutdownReason
+ type: keyword
+ - name: SidFilteringEnabled
+ type: keyword
+ - name: Signature
+ type: keyword
+ - name: SignatureStatus
+ type: keyword
+ - name: Signed
+ type: keyword
+ - name: StartTime
+ type: keyword
+ - name: State
+ type: keyword
+ - name: Status
+ type: keyword
+ - name: StatusDescription
+ type: keyword
+ - name: StopTime
+ type: keyword
+ - name: SubCategory
+ type: keyword
+ - name: SubCategoryGuid
+ type: keyword
+ - name: SubcategoryGuid
+ type: keyword
+ - name: SubCategoryId
+ type: keyword
+ - name: SubcategoryId
+ type: keyword
+ - name: SubjectDomainName
+ type: keyword
+ - name: SubjectLogonId
+ type: keyword
+ - name: SubjectUserName
+ type: keyword
+ - name: SubjectUserSid
+ type: keyword
+ - name: SubStatus
+ type: keyword
+ - name: TSId
+ type: keyword
+ - name: TargetDomainName
+ type: keyword
+ - name: TargetInfo
+ type: keyword
+ - name: TargetLogonGuid
+ type: keyword
+ - name: TargetLogonId
+ type: keyword
+ - name: TargetName
+ type: keyword
+ - name: TargetServerName
+ type: keyword
+ - name: TargetSid
+ type: keyword
+ - name: TargetUserName
+ type: keyword
+ - name: TargetUserSid
+ type: keyword
+ - name: TdoAttributes
+ type: keyword
+ - name: TdoDirection
+ type: keyword
+ - name: TdoType
+ type: keyword
+ - name: TerminalSessionId
+ type: keyword
+ - name: TicketEncryptionType
+ type: keyword
+ - name: TicketEncryptionTypeDescription
+ type: keyword
+ - name: TicketOptions
+ type: keyword
+ - name: TicketOptionsDescription
+ type: keyword
+ - name: TokenElevationType
+ type: keyword
+ - name: TransmittedServices
+ type: keyword
+ - name: Type
+ type: keyword
+ - name: UserAccountControl
+ type: keyword
+ - name: UserParameters
+ type: keyword
+ - name: UserPrincipalName
+ type: keyword
+ - name: UserSid
+ type: keyword
+ - name: UserWorkstations
+ type: keyword
+ - name: Version
+ type: keyword
+ - name: Workstation
+ type: keyword
+ - name: WorkstationName
+ type: keyword
+ - name: param1
+ type: keyword
+ - name: param2
+ type: keyword
+ - name: param3
+ type: keyword
+ - name: param4
+ type: keyword
+ - name: param5
+ type: keyword
+ - name: param6
+ type: keyword
+ - name: param7
+ type: keyword
+ - name: param8
+ type: keyword
+ - name: event_id
+ type: keyword
+ required: true
+ description: >
+ The event identifier. The value is specific to the source of the event.
+
+ - name: keywords
+ type: keyword
+ required: false
+ description: >
+ The keywords are used to classify an event.
+
+ - name: level
+ type: keyword
+ required: false
+ description: >
+ The event severity. Levels are Critical, Error, Warning and Information, Verbose
+
+ - name: outcome
+ type: keyword
+ required: false
+ description: >
+ Success or Failure of the event.
+
+ - name: record_id
+ type: keyword
+ required: true
+ description: >
+ The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
+
+ - name: related_activity_id
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
+
+ - name: opcode
+ type: keyword
+ required: false
+ description: >
+ The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
+
+ - name: provider_guid
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the provider that logged the event.
+
+ - name: process.pid
+ type: long
+ required: false
+ description: >
+ The process_id of the Client Server Runtime Process.
+
+ - name: provider_name
+ type: keyword
+ required: true
+ description: >
+ The source of the event log record (the application or service that logged the record).
+
+ - name: task
+ type: keyword
+ required: false
+ description: >
+ The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
+
+ - name: time_created
+ type: date
+ required: false
+ description: >
+ Time event was created
+
+ - name: trustAttribute
+ type: keyword
+ required: false
+ - name: trustDirection
+ type: keyword
+ required: false
+ - name: trustType
+ type: keyword
+ required: false
+ - name: process.thread.id
+ type: long
+ required: false
+ - name: user_data
+ type: object
+ object_type: keyword
+ required: false
+ description: >
+ The event specific data. This field is mutually exclusive with `event_data`.
+
+ - name: user_data
+ type: group
+ description: >
+ The event specific data. This field is mutually exclusive with `event_data`.
+
+ fields:
+ - name: BackupPath
+ type: keyword
+ - name: Channel
+ type: keyword
+ - name: SubjectDomainName
+ type: keyword
+ - name: SubjectLogonId
+ type: keyword
+ - name: SubjectUserName
+ type: keyword
+ - name: SubjectUserSid
+ type: keyword
+ - name: xml_name
+ type: keyword
+ - name: user.identifier
+ type: keyword
+ required: false
+ example: S-1-5-21-3541430928-2051711210-1391384369-1001
+ description: >
+ The Windows security identifier (SID) of the account associated with this event.
+
+ If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
+
+ - name: user.name
+ type: keyword
+ description: >
+ Name of the user associated with this event.
+
+ - name: user.domain
+ type: keyword
+ required: false
+ description: >
+ The domain that the account associated with this event is a member of.
+
+ - name: user.type
+ type: keyword
+ required: false
+ description: >
+ The type of account associated with this event.
+
+ - name: version
+ type: long
+ required: false
+ description: The version number of the event's definition.
diff --git a/test/packages/parallel/system/data_stream/security/manifest.yml b/test/packages/parallel/system/data_stream/security/manifest.yml
new file mode 100644
index 000000000..02ae7a6d6
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/manifest.yml
@@ -0,0 +1,80 @@
+type: logs
+title: Security logs
+streams:
+ - input: winlog
+ template_path: winlog.yml.hbs
+ title: Security
+ description: 'Security channel'
+ vars:
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: >-
+ Preserves a raw copy of the original XML event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: event_id
+ type: text
+ title: Event ID
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.
+ - name: ignore_older
+ type: text
+ title: Ignore events older than
+ default: 72h
+ required: false
+ show_user: false
+ description: >-
+ If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ - name: language
+ type: text
+ title: Language ID
+ description: >-
+ The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US
+ required: false
+ show_user: false
+ default: 0
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - input: httpjson
+ title: Windows Security Events via Splunk Enterprise REST API
+ description: Collect Security Events via Splunk Enterprise REST API
+ enabled: false
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval to query Splunk Enterprise REST API
+ description: Go Duration syntax (eg. 10s)
+ show_user: true
+ required: true
+ default: 10s
+ - name: search
+ type: text
+ title: Splunk search string
+ show_user: false
+ required: true
+ default: "search sourcetype=\"XmlWinEventLog:Security\""
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
diff --git a/test/packages/parallel/system/data_stream/security/sample_event.json b/test/packages/parallel/system/data_stream/security/sample_event.json
new file mode 100644
index 000000000..3f8e10d48
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/security/sample_event.json
@@ -0,0 +1,75 @@
+{
+ "@timestamp": "2019-11-07T10:37:04.226Z",
+ "agent": {
+ "ephemeral_id": "aa973fb6-b8fe-427e-a9e9-51c411926db8",
+ "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.1"
+ },
+ "data_stream": {
+ "dataset": "system.security",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6",
+ "snapshot": true,
+ "version": "8.2.1"
+ },
+ "event": {
+ "action": "logging-service-shutdown",
+ "agent_id_status": "verified",
+ "category": [
+ "process"
+ ],
+ "code": "1100",
+ "created": "2022-05-18T06:07:07.204Z",
+ "dataset": "system.security",
+ "ingested": "2022-05-18T06:07:08Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/\u003e\u003cEventID\u003e1100\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x4020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-11-07T10:37:04.226092500Z'/\u003e\u003cEventRecordID\u003e14257\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1144' ThreadID='4532'/\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eWIN-41OB2LO92CR.wlbeat.local\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cUserData\u003e\u003cServiceShutdown xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'\u003e\u003c/ServiceShutdown\u003e\u003c/UserData\u003e\u003c/Event\u003e",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Eventlog",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR.wlbeat.local"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "information"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ],
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+ "event_id": "1100",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 1144,
+ "thread": {
+ "id": 4532
+ }
+ },
+ "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
+ "provider_name": "Microsoft-Windows-Eventlog",
+ "record_id": "14257",
+ "time_created": "2019-11-07T10:37:04.226Z"
+ }
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log
new file mode 100644
index 000000000..ec5b4bd66
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log
@@ -0,0 +1,21 @@
+Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for "All Products" using engine
+ >>
+ processor=
+ isProcessing=NO actionsCompleted=0 progress=0.00
+ errors=0 currentActionErrors=0
+ events=0 currentActionEvents=0
+ actionQueue=( )
+ >
+ delegate=(null)
+ serverInfoStore=(null)
+ errors=0
+ >
+Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.
+Apr 4 03:39:57 --- last message repeated 1 time ---
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-config.yml b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-config.yml
new file mode 100644
index 000000000..29de1b5c8
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-config.yml
@@ -0,0 +1,7 @@
+dynamic_fields:
+ "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}-[0-9]{2}:[0-9]{2}$"
+multiline:
+ first_line_pattern: "^\\w+ \\d+ "
+fields:
+ event.kind: "event"
+ event.timezone: "GMT-0200"
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json
new file mode 100644
index 000000000..2275efb22
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json
@@ -0,0 +1,60 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-13T11:35:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-04-04T03:39:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "GMT-0200"
+ },
+ "message": "--- last message repeated 1 time ---",
+ "system": {
+ "syslog": {}
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log
new file mode 100644
index 000000000..f0329c33c
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log
@@ -0,0 +1,497 @@
+Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.
+Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for "All Products" using engine
+ >>
+ processor=
+ isProcessing=NO actionsCompleted=0 progress=0.00
+ errors=0 currentActionErrors=0
+ events=0 currentActionEvents=0
+ actionQueue=( )
+ >
+ delegate=(null)
+ serverInfoStore=(null)
+ errors=0
+ >
+Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.
+Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).
+Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(
+
+ serverType=Omaha
+ url=https://tools.google.com/service/update2
+ creationDate=2015-06-25 15:40:23
+ tagPath=/Applications/Google Chrome.app/Contents/Info.plist
+ tagKey=KSChannelID
+ brandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist
+ brandKey=KSBrandID
+ versionPath=/Applications/Google Chrome.app/Contents/Info.plist
+ versionKey=KSVersion
+ cohort=1:1y5:gy3@0.05
+ cohortName=Stable
+ ticketVersion=1
+ >,
+
+ serverType=Omaha
+ url=https://tools.google.com/service/update2
+ creationDate=2015-09-11 20:38:12
+ ticketVersion=1
+ >
+ )}
+ Using server:
+ >
+Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]="EQHXZ8M8AV" and (identifier="com.google.Chrome")'
+Dec 13 11:35:29 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]="EQHXZ8M8AV" and (identifier="com.google.GoogleDrive")'
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest:
+ url="https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822"
+ fallbackURLs=(
+ http://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1617080069
+ )
+ runningFetchers=0
+ tickets=2
+ body=
+
+
+
+
+
+
+
+
+
+
+
+
+ headers={
+ "X-GoogleUpdate-Interactivity" = bg;
+ }
+ >
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: "https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822"
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: "https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822"
+Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.
+Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }
+Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download
+Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL ( { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download
+Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...
+Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0
+Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.
+Dec 13 11:35:30 a-mac-with-esc-key ksfetch[21414]: 2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:
+ : <>
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: "https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822"
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse:
+ url="https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822"
+ tickets=2
+ status=200
+ data=
+
+
+
+
+
+
+
+
+
+
+
+
+ >
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0
+Dec 13 11:35:30 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.
+Dec 13 11:35:31 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '"All Products"' using engine
+ >>
+ processor=
+ isProcessing=NO actionsCompleted=0 progress=0.00
+ errors=0 currentActionErrors=0
+ events=0 currentActionEvents=0
+ actionQueue=( )
+ >
+ delegate=
+ serverInfoStore=
+ errors=0
+ >
+Dec 13 11:35:31 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to { URL: https://tools.google.com/service/update2 }
+Dec 13 11:35:31 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats
+Dec 13 11:35:32 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread
+Dec 13 11:35:32 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.
+Dec 13 11:35:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:37:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:38:45 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21498]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 11:39:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:41:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:41:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 11:42:55 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21556]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 11:45:18 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
+Dec 13 11:45:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:47:06 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21581]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 11:47:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:49:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:51:17 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21586]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 11:51:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:51:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 11:53:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:55:28 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21589]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 11:55:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:56:30 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
+Dec 13 11:57:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 11:59:40 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21946]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:01:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:01:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 12:03:04 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682
+Dec 13 12:03:51 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21966]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:05:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:08:02 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[21981]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:09:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:11:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:11:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 12:12:13 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22226]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:13:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:15:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:16:24 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22241]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:17:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:19:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:20:35 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22254]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:21:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:21:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 12:23:13 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
+Dec 13 12:23:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:24:46 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22265]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:28:43 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b
+Dec 13 12:28:57 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22292]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:29:06 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2
+Dec 13 12:29:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:31:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:31:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 12:33:08 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22305]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:33:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:35:56 a-mac-with-esc-key GoogleSoftwareUpdateAgent[22318]: 2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings:
+Dec 13 12:37:20 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22324]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:37:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:39:28 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371
+Dec 13 12:41:06 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
+Dec 13 12:41:26 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702
+Dec 13 12:41:30 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22336]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:41:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:41:57 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 12:43:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:45:41 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22348]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:45:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:47:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:49:13 a-mac-with-esc-key logd[63]: _handle_cache_delete_with_urgency(0x7fc55c429b40, 0, 1)
+Dec 13 12:49:13 a-mac-with-esc-key logd[63]: _volume_contains_cached_data(is /private/var/db/diagnostics/ in /) - YES
+Dec 13 12:49:13 a-mac-with-esc-key logd[63]: Purged 0 bytes from log files.
+Dec 13 12:49:13 a-mac-with-esc-key logd[63]: _purge_uuidtext enter - 1
+Dec 13 12:49:14 a-mac-with-esc-key logd[63]: _purge_uuidtext got 1023 UUIDs and 3 slibs from inflight logs
+Dec 13 12:49:14 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
+Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext got 1303 UUIDs and 3 slibs from inflight and persistent logs
+Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext processing shared lib uuid 00000000-0000-0000-0000-000000000000
+Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext processing shared lib uuid 519BE6A1-940A-3142-975F-4EF4F41A89B3
+Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext processing shared lib uuid C43133F6-64A3-3F65-997F-0E985A66E971
+Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext got 2260 UUIDs and 3 slibs from inflight and persistent logs and slibs
+Dec 13 12:49:24 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 00000000-0000-0000-0000-000000000000 mentioned but not found
+Dec 13 12:49:27 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 1BD0C00C-0885-4C02-B522-D1E9CBDE84E7 mentioned but not found
+Dec 13 12:49:29 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 40E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 60E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 66A56E12-C69B-4249-BC49-760C03F3700A mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F0308-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F190B-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F3C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F6107-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F800A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700F9401-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700FD70E-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700FD900-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700FEE0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 700FF904-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701F1C0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701F2F0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701F4C02-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FAE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FBD0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FE80B-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FEF07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FF700-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 701FF90D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702F5E0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702F6503-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702F6B06-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702FEB0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 702FFC01-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703F0E06-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703F4A0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703F8C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703F9405-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703FA300-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703FC709-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703FD007-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 703FED05-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F0003-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F550C-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F750A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F8C0C-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704F8D09-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704FB402-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 704FBB01-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705F030E-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705F2D10-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705F3B01-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705F4E0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705FA30D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705FDA05-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 705FDF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706F5101-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706F6300-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706F6E05-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706FE207-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706FEC00-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 706FFB07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707F0907-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707F6A04-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707F7B00-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707F9B0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707FAD09-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707FB80A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707FD809-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 707FE404-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F3207-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F3402-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F3809-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F470F-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F8A00-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708F9F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FB403-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FC507-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FDC07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FEA0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 708FFC08-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F1005-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F1E0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F5F08-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F6306-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F6903-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709F980E-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FA80C-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FE808-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FE809-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FED00-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FEF02-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 709FEF0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF070C-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF2108-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF270C-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF390B-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF4A0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF6D06-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF700E-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF810D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AF9D02-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AFA200-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AFBE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70AFCC02-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BF210E-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BF4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BF9000-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BF9302-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFC302-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFD507-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFD605-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70BFFF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF0210-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF0603-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF0802-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF180F-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF1902-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF4A07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF530D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF590D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CF770D-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFA700-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFC804-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFE00C-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFEA09-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70CFED0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DF4B07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DF7301-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DFA303-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DFCB0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DFDD01-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70DFE504-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF2F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF4609-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF5D05-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF7F07-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EF8606-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EFA406-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EFA60F-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EFC606-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70EFD407-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF0207-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF1E04-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF6F01-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF7703-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:31 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 70FF9708-0070-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:32 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for 80E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:32 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for A0E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:32 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for A0E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found
+Dec 13 12:49:32 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for B22412E8-3691-4FA9-95EA-C5B9E2A3C572 mentioned but not found
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext uuidtext file for F011D7E8-7633-3668-9455-53893C4F4B33 mentioned but not found
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext tree walked
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/00/0E757A4E2C3108A74D6C5A996AAAAB
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/00/F2131643943190B32FE35236EA4864
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/06/608E438FDA3E28B9A262F575FE0E75
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/09/35918C5C783B8AB2E6B75B12056F3C
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/11/DD409E112F373398E6DA86BF046EC9
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/14/65FB07456D36EC9EC80462D86BB21B
+Dec 13 12:49:33 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/18/A779EC17953910996D134A28F5C564
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/19/57E846B04C32FBAD78821B285B0D18
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/1E/79F11C7D5333F1BD0630540535F725
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/1E/9811DDA51A3BE9A4A748AD394DBE73
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/23/099C5F0A853312A9BD5694C15D228C
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/27/FBA267162735F8B5A6BF29E3A7670E
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/39/2980D3CAF73E2A94ED57F74979F1D9
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/3E/67870101A7359F88CCB9BD6681FC93
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/41/C51F4A33E03ACF86603802C9E6FFDE
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/42/BF3535B92C3272BA41F8A9BC267F3B
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/42/C18E8D6CEE37FF8DCD1390244CF38E
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/53/4B25B3C583361EADD5CB938678868C
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/54/090A60831C3233A4F0022DB86FF8B8
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/56/8EBEC4BC8230848898534D17830BB6
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/57/58C9F966E631669B74E6625D40C806
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/5E/F7315AF27B31A6A38D6364704D4FFC
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/5F/2B940389D136F2817A41C784D530CB
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/62/196B2A409236898AAD3A1520C53191
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/65/2D3DB29CBA32E297A65465CBA36B01
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/67/58A21E3D2B3620952A68EC384CC1AF
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/69/ADA53CBD3A3E31B08CFD85B12D52E1
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/72/FB1BBBCA3E30E89802A68B8B2B07F1
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/74/702F7027E834ACB0057983649FFB29
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/75/B25BA663DB34EC9AAC6971BBE817EB
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/75/B88148A6E233F8AFF323294DE561E0
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/76/2702DC49823F9E8292BB022D6BAF84
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/76/73D347C0F834879F9438D542975A23
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/78/397DF6C0253FD383E4AFAE3DD2E49C
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/7F/BCC184181A3913ADC50E38F950D098
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/81/12B328744938E1ACF2846B35CD83B4
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/82/3CB803D77334D0B5C759685022D876
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/8A/860FB569623B81B0511956EC82CEA3
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/90/9D581D35E7358AA75371D3A038142D
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/99/AC7E971E8C3319AD0514626D763823
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/9A/53817F2101396598311DB81D851FBA
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/9B/2EB7A3E93A3641B38EAD32B1CBE412
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/9F/E64976D7223E7F992BB3287AF23301
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/A7/8C02A56C0F3A9D90CAD8C92842B9A9
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/A9/733CC25E7239F98BC0812C5D7AF135
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/AB/450D449D5432C9B30A439A35B29931
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B0/AF101031AA3188A08CF1517F800B2C
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B4/77C958888B3AB092FD097D2C9A1B13
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B4/BDFB4CAE49386B963E2C7A296B7D20
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B5/0CBF2789673C6AB67F80F199CFD499
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B6/41F64AD9923AD19AED8A35325FB04E
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/B6/566C8F2EA7349EB2C02647D2F69F97
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/BA/2A57BB4346303EA1E87862E6752057
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/C0/2D31E981553F31B0E9C36C232EE607
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/C0/E060E4E9373D4D9B4A930D3291F052
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/C2/531C46380A3DA489F7752C2FE6AEA0
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/C9/17C064F3903260A7DC304FABDDC3FD
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/CD/E2995BDA593F96B16EF1AE92AF31D8
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/CE/EE9ADE6F813CD78A1308F14010F463
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/D1/7E3015AC923AFE89BAFE6411B96431
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/D3/AE090906EC3F058A04EE77A574C8B3
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/DA/BAD1584258317A8483FE9CF10547BD
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/DD/CCB6FD639830F39A5D87247D54F616
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/E1/05E61475463784975FC5278723D08C
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/E1/B515E0321E3B85B90F01D623DC9047
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/E2/8DBEF43A0A37008A26AE9F016435F3
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/E3/55D24FAC0838679583537F319C7B72
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/EF/8522BAF9393808A2E6018507233133
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext unlinking /var/db/uuidtext/FC/F7262CC2703E32BD3808B2D50C74F0
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext total: 2209, in_use:2104, marked:23, recent:13, deleted 69
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext slib tree cleaned up (0)
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext uuid tree cleaned up (3)
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: _purge_uuidtext cleaned up (0)
+Dec 13 12:49:34 a-mac-with-esc-key logd[63]: Purged 5816519 bytes from uuidtext.
+Dec 13 12:49:52 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22360]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:49:57 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600011443d90 holds 0x2121212121212121 instead of 0x600006e206c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:51:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800ac568a0 holds 0x2121212121212121 instead of 0x608003630680. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:51:58 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 12:53:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000664ad50 holds 0x2121212121212121 instead of 0x600006c31140. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:54:03 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22370]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:55:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x6000060446c0 holds 0x2121212121212121 instead of 0x600006c34d60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:57:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c645c20 holds 0x2121212121212121 instead of 0x600002e295c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 12:58:14 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[22382]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 12:59:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800fe59330 holds 0x2121212121212121 instead of 0x608004030e80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:01:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000ec41a20 holds 0x2121212121212121 instead of 0x600002e2d920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:01:58 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 13:03:19 a-mac-with-esc-key Preview[24046]: BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked
+Dec 13 13:03:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x608007645da0 holds 0x2121212121212121 instead of 0x6080044252a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:05:26 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25276]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 13:05:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000c643b20 holds 0x2121212121212121 instead of 0x6000036340a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:07:26 a-mac-with-esc-key Slack Helper[55199]: Invoked notification with id: 7cc1869b-ba48-4307-8474-0bc68cd9c71d
+Dec 13 13:07:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600007852ee0 holds 0x2121212121212121 instead of 0x600006a22780. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:09:37 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25878]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 13:09:49 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
+Dec 13 13:13:48 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25888]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 13:13:48 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 13:13:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60001125b6a0 holds 0x2121212121212121 instead of 0x600007234ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:15:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600006a41480 holds 0x2121212121212121 instead of 0x600003a2e920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:17:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600005a46cd0 holds 0x2121212121212121 instead of 0x60000582bd00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:17:59 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25896]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 13:19:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800ee5b730 holds 0x2121212121212121 instead of 0x6080072264c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:21:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f65cb10 holds 0x2121212121212121 instead of 0x6080046351c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:22:10 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25914]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 13:23:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x600008c56780 holds 0x2121212121212121 instead of 0x600006624600. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:23:58 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 13:25:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f65d7a0 holds 0x2121212121212121 instead of 0x608003a3d9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:26:21 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25923]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 13:27:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000785e8e0 holds 0x2121212121212121 instead of 0x600006622ba0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:29:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60801005a980 holds 0x2121212121212121 instead of 0x608001a3f8a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:30:33 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[25940]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 13:31:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000d6588b0 holds 0x2121212121212121 instead of 0x600002a3dd60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:32:28 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
+Dec 13 13:33:58 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60800f459990 holds 0x2121212121212121 instead of 0x60800463e7e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:33:58 a-mac-with-esc-key syslogd[46]: ASL Sender Statistics
+Dec 13 13:34:44 a-mac-with-esc-key com.apple.xpc.launchd[1] (com.apple.quicklook[26381]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
+Dec 13 13:35:59 a-mac-with-esc-key Google Chrome[85294]: objc[85294]: __weak variable at 0x60000be429b0 holds 0x2121212121212121 instead of 0x600003c325e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.
+Dec 13 13:36:19 a-mac-with-esc-key GoogleSoftwareUpdateAgent[27321]: 2016-12-13 13:36:19.906 GoogleSoftwareUpdateAgent[27321/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings:
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-config.yml b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-config.yml
new file mode 100644
index 000000000..eb4e9090a
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-config.yml
@@ -0,0 +1,6 @@
+dynamic_fields:
+ "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}-[0-9]{2}:[0-9]{2}$"
+multiline:
+ first_line_pattern: "^Dec 13 "
+fields:
+ event.timezone: "GMT-0200"
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json
new file mode 100644
index 000000000..c8cd42936
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json
@@ -0,0 +1,7609 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-13T11:35:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t\u003cKSTicket:0x100550bd0\n\t\t\tproductID=com.google.Chrome\n\t\t\tversion=54.0.2840.98\n\t\t\txc=\u003cKSPathExistenceChecker:0x1005507d0 path=/Applications/Google Chrome.app\u003e\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t\u003e,\n\t\t\u003cKSTicket:0x100555140\n\t\t\tproductID=com.google.GoogleDrive\n\t\t\tversion=1.32.3889.0961\n\t\t\txc=\u003cKSPathExistenceChecker:0x100554490 path=/Applications/Google Drive.app\u003e\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t\u003e\n\t)}\n\tUsing server: \u003cKSOmahaServer:0x100555120\n\t\tengine=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:29.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: \u003cKSOmahaServerUpdateRequest:0x100480470\n\t\tserver=\u003cKSOmahaServer:0x100555120\u003e\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\t\t\t\u003crequest protocol=\"3.0\" version=\"KeystoneAgent-1.2.6.1370\" ismachine=\"0\" requestid=\"{8F3B41E7-420E-4526-887D-C40439FD9A8E}\" dedup=\"cr\" sessionid=\"{3BD434BD-06BC-40C7-9A27-EFE887A149E3}\"\u003e\n\t\t\t \u003cos platform=\"mac\" version=\"10.12\" arch=\"x86_64h\" sp=\"10.12.0_x86_64h\"\u003e\u003c/os\u003e\n\t\t\t \u003capp appid=\"com.google.Chrome\" version=\"54.0.2840.98\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" lang=\"en-us\" installage=\"536\" installdate=\"3479\" brand=\"GGRO\" _numaccounts=\"1\" _numsignedin=\"1\" signed=\"1\"\u003e\n\t\t\t \u003cping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{6001AB3C-5253-44A9-94A9-CD4493ED14F9}\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t \u003capp appid=\"com.google.GoogleDrive\" version=\"1.32.3889.0961\" lang=\"en-us\" installage=\"458\" installdate=\"3479\" brand=\"GGLG\" signed=\"1\"\u003e\n\t\t\t \u003cping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{1BFFDCCA-5966-4598-819C-C1D075E480C5}\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t\u003c/request\u003e\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.",
+ "process": {
+ "name": "ksfetch",
+ "pid": 21414
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: \u003cNSMutableURLRequest: 0x100119140\u003e { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822 }",
+ "process": {
+ "name": "ksfetch",
+ "pid": 21414
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download",
+ "process": {
+ "name": "ksfetch",
+ "pid": 21414
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL (\u003cNSMutableURLRequest: 0x100119140\u003e { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download",
+ "process": {
+ "name": "ksfetch",
+ "pid": 21414
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...",
+ "process": {
+ "name": "ksfetch",
+ "pid": 21414
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0",
+ "process": {
+ "name": "ksfetch",
+ "pid": 21414
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.",
+ "process": {
+ "name": "ksfetch",
+ "pid": 21414
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.",
+ "process": {
+ "name": "ksfetch",
+ "pid": 21414
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t\u003c\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: \u003cKSOmahaServerUpdateResponse:0x100559060\n\t\tserver=\u003cKSOmahaServer:0x100555120\u003e\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\t\t\t\u003cresponse protocol=\"3.0\" server=\"prod\"\u003e\n\t\t\t \u003cdaystart elapsed_days=\"3634\" elapsed_seconds=\"9330\"\u003e\u003c/daystart\u003e\n\t\t\t \u003capp appid=\"com.google.Chrome\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" status=\"ok\"\u003e\n\t\t\t \u003cping status=\"ok\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck status=\"noupdate\"\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t \u003capp appid=\"com.google.GoogleDrive\" cohort=\"\" cohortname=\"\" status=\"ok\"\u003e\n\t\t\t \u003cping status=\"ok\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck status=\"noupdate\"\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t\u003c/response\u003e\n\t\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1002769e0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=\u003cKSAgentApp: 0x10052a250\u003e\n\t\tserverInfoStore=\u003cKSServerPrivateInfoStore:0x100317b40 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Servers\"\u003e\n\t\terrors=0\n\t\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to \u003cNSMutableURLRequest: 0x1003cbcd0\u003e { URL: https://tools.google.com/service/update2 }",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats \u003cKSStatsCollection:0x100212570 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Stats/Keystone.stats\", count=5, stats={\n\t checks = 2;\n\t tickets = 2;\n\t usertickets = 3;\n\t validtickets = 2;\n\t validusertickets = 3;\n\t}\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:32.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:32.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 21412
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:35:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:37:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:38:45.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:39:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:41:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:41:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:42:55.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:45:18.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:45:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:47:06.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:47:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:49:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:51:17.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:51:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:51:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:53:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:55:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:55:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:56:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:57:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T11:59:40.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:01:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:01:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:03:04.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682",
+ "process": {
+ "name": "Slack Helper",
+ "pid": 55199
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:03:51.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:05:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:08:02.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:09:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:11:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:11:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:12:13.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:13:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:15:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:16:24.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:17:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:19:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:20:35.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:21:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:21:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:23:13.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:23:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:24:46.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:28:43.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b",
+ "process": {
+ "name": "Slack Helper",
+ "pid": 55199
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:28:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:29:06.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2",
+ "process": {
+ "name": "Slack Helper",
+ "pid": 55199
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:29:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:31:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:31:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:33:08.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:33:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:35:56.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: \u003cKSAgentSettings:0x100505750 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 22318
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:37:20.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:37:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:39:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371",
+ "process": {
+ "name": "Slack Helper",
+ "pid": 55199
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:41:06.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:41:26.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702",
+ "process": {
+ "name": "Slack Helper",
+ "pid": 55199
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:41:30.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:41:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:41:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:43:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:45:41.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:45:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:47:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:13.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_handle_cache_delete_with_urgency(0x7fc55c429b40, 0, 1)",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:13.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_volume_contains_cached_data(is /private/var/db/diagnostics/ in /) - YES",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:13.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Purged 0 bytes from log files.",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:13.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext enter - 1",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:14.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext got 1023 UUIDs and 3 slibs from inflight logs",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:14.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:24.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext got 1303 UUIDs and 3 slibs from inflight and persistent logs",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:24.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext processing shared lib uuid 00000000-0000-0000-0000-000000000000",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:24.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext processing shared lib uuid 519BE6A1-940A-3142-975F-4EF4F41A89B3",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:24.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext processing shared lib uuid C43133F6-64A3-3F65-997F-0E985A66E971",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:24.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext got 2260 UUIDs and 3 slibs from inflight and persistent logs and slibs",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:24.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 00000000-0000-0000-0000-000000000000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:27.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 1BD0C00C-0885-4C02-B522-D1E9CBDE84E7 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:29.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 40E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 60E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 66A56E12-C69B-4249-BC49-760C03F3700A mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700F0308-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700F190B-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700F3C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700F6107-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700F800A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700F9401-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700FD70E-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700FD900-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700FEE0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 700FF904-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701F1C0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701F2F0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701F4C02-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701FAE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701FBD0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701FE80B-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701FEF07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701FF700-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 701FF90D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 702F5E0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 702F6503-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 702F6B06-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 702FEB0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 702FFC01-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 703F0E06-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 703F4A0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 703F8C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 703F9405-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 703FA300-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 703FC709-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 703FD007-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 703FED05-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 704F0003-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 704F550C-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 704F750A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 704F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 704F8C0C-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 704F8D09-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 704FB402-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 704FBB01-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 705F030E-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 705F2D10-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 705F3B01-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 705F4E0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 705FA30D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 705FDA05-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 705FDF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 706F5101-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 706F6300-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 706F6E05-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 706FE207-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 706FEC00-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 706FFB07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 707F0907-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 707F6A04-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 707F7B00-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 707F9B0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 707FAD09-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 707FB80A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 707FD809-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 707FE404-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708F3207-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708F3402-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708F3809-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708F470F-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708F8A00-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708F9F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708FB403-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708FC507-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708FDC07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708FEA0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 708FFC08-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709F1005-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709F1E0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709F4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709F5F08-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709F6306-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709F6903-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709F980E-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709FA80C-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709FE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709FE808-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709FE809-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709FED00-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709FEF02-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 709FEF0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF070C-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF2108-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF270C-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF390B-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF4A0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF6D06-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF700E-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF810D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AF9D02-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AFA200-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AFBE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70AFCC02-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BF210E-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BF4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BF9000-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BF9302-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BFC302-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BFD507-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BFD605-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BFE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70BFFF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF0210-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF0603-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF0802-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF180F-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF1902-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF4A07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF530D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF590D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CF770D-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CFA700-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CFC804-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CFE00C-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CFEA09-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70CFED0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70DF4B07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70DF7301-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70DFA303-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70DFCB0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70DFDD01-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70DFE504-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EF2F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EF4609-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EF5D05-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EF7F07-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EF8606-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EFA406-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EFA60F-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EFC606-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70EFD407-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70FF0207-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70FF1E04-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70FF6F01-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70FF7703-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:31.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 70FF9708-0070-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:32.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for 80E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:32.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for A0E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:32.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for A0E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:32.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for B22412E8-3691-4FA9-95EA-C5B9E2A3C572 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuidtext file for F011D7E8-7633-3668-9455-53893C4F4B33 mentioned but not found",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext tree walked",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/00/0E757A4E2C3108A74D6C5A996AAAAB",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/00/F2131643943190B32FE35236EA4864",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/06/608E438FDA3E28B9A262F575FE0E75",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/09/35918C5C783B8AB2E6B75B12056F3C",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/11/DD409E112F373398E6DA86BF046EC9",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/14/65FB07456D36EC9EC80462D86BB21B",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/18/A779EC17953910996D134A28F5C564",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/19/57E846B04C32FBAD78821B285B0D18",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/1E/79F11C7D5333F1BD0630540535F725",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/1E/9811DDA51A3BE9A4A748AD394DBE73",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/23/099C5F0A853312A9BD5694C15D228C",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/27/FBA267162735F8B5A6BF29E3A7670E",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/39/2980D3CAF73E2A94ED57F74979F1D9",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/3E/67870101A7359F88CCB9BD6681FC93",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/41/C51F4A33E03ACF86603802C9E6FFDE",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/42/BF3535B92C3272BA41F8A9BC267F3B",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/42/C18E8D6CEE37FF8DCD1390244CF38E",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/53/4B25B3C583361EADD5CB938678868C",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/54/090A60831C3233A4F0022DB86FF8B8",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/56/8EBEC4BC8230848898534D17830BB6",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/57/58C9F966E631669B74E6625D40C806",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/5E/F7315AF27B31A6A38D6364704D4FFC",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/5F/2B940389D136F2817A41C784D530CB",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/62/196B2A409236898AAD3A1520C53191",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/65/2D3DB29CBA32E297A65465CBA36B01",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/67/58A21E3D2B3620952A68EC384CC1AF",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/69/ADA53CBD3A3E31B08CFD85B12D52E1",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/72/FB1BBBCA3E30E89802A68B8B2B07F1",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/74/702F7027E834ACB0057983649FFB29",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/75/B25BA663DB34EC9AAC6971BBE817EB",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/75/B88148A6E233F8AFF323294DE561E0",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/76/2702DC49823F9E8292BB022D6BAF84",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/76/73D347C0F834879F9438D542975A23",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/78/397DF6C0253FD383E4AFAE3DD2E49C",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/7F/BCC184181A3913ADC50E38F950D098",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/81/12B328744938E1ACF2846B35CD83B4",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/82/3CB803D77334D0B5C759685022D876",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/8A/860FB569623B81B0511956EC82CEA3",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/90/9D581D35E7358AA75371D3A038142D",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/99/AC7E971E8C3319AD0514626D763823",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/9A/53817F2101396598311DB81D851FBA",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/9B/2EB7A3E93A3641B38EAD32B1CBE412",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/9F/E64976D7223E7F992BB3287AF23301",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/A7/8C02A56C0F3A9D90CAD8C92842B9A9",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/A9/733CC25E7239F98BC0812C5D7AF135",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/AB/450D449D5432C9B30A439A35B29931",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/B0/AF101031AA3188A08CF1517F800B2C",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/B4/77C958888B3AB092FD097D2C9A1B13",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/B4/BDFB4CAE49386B963E2C7A296B7D20",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/B5/0CBF2789673C6AB67F80F199CFD499",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/B6/41F64AD9923AD19AED8A35325FB04E",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/B6/566C8F2EA7349EB2C02647D2F69F97",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/BA/2A57BB4346303EA1E87862E6752057",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/C0/2D31E981553F31B0E9C36C232EE607",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/C0/E060E4E9373D4D9B4A930D3291F052",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/C2/531C46380A3DA489F7752C2FE6AEA0",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/C9/17C064F3903260A7DC304FABDDC3FD",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/CD/E2995BDA593F96B16EF1AE92AF31D8",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/CE/EE9ADE6F813CD78A1308F14010F463",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/D1/7E3015AC923AFE89BAFE6411B96431",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/D3/AE090906EC3F058A04EE77A574C8B3",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/DA/BAD1584258317A8483FE9CF10547BD",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/DD/CCB6FD639830F39A5D87247D54F616",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/E1/05E61475463784975FC5278723D08C",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/E1/B515E0321E3B85B90F01D623DC9047",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/E2/8DBEF43A0A37008A26AE9F016435F3",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/E3/55D24FAC0838679583537F319C7B72",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/EF/8522BAF9393808A2E6018507233133",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext unlinking /var/db/uuidtext/FC/F7262CC2703E32BD3808B2D50C74F0",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext total: 2209, in_use:2104, marked:23, recent:13, deleted 69",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext slib tree cleaned up (0)",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext uuid tree cleaned up (3)",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "_purge_uuidtext cleaned up (0)",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:34.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Purged 5816519 bytes from uuidtext.",
+ "process": {
+ "name": "logd",
+ "pid": 63
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:52.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22360])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:49:57.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x600011443d90 holds 0x2121212121212121 instead of 0x600006e206c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:51:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800ac568a0 holds 0x2121212121212121 instead of 0x608003630680. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:51:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:53:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000664ad50 holds 0x2121212121212121 instead of 0x600006c31140. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:54:03.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22370])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:55:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x6000060446c0 holds 0x2121212121212121 instead of 0x600006c34d60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:57:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000c645c20 holds 0x2121212121212121 instead of 0x600002e295c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:58:14.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22382])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T12:59:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800fe59330 holds 0x2121212121212121 instead of 0x608004030e80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:01:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000ec41a20 holds 0x2121212121212121 instead of 0x600002e2d920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:01:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:03:19.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked",
+ "process": {
+ "name": "Preview",
+ "pid": 24046
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:03:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x608007645da0 holds 0x2121212121212121 instead of 0x6080044252a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:05:26.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25276])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:05:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000c643b20 holds 0x2121212121212121 instead of 0x6000036340a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:07:26.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Invoked notification with id: 7cc1869b-ba48-4307-8474-0bc68cd9c71d",
+ "process": {
+ "name": "Slack Helper",
+ "pid": 55199
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:07:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x600007852ee0 holds 0x2121212121212121 instead of 0x600006a22780. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:09:37.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25878])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:09:49.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:13:48.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25888])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:13:48.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:13:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60001125b6a0 holds 0x2121212121212121 instead of 0x600007234ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:15:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x600006a41480 holds 0x2121212121212121 instead of 0x600003a2e920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:17:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x600005a46cd0 holds 0x2121212121212121 instead of 0x60000582bd00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:17:59.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25896])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:19:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800ee5b730 holds 0x2121212121212121 instead of 0x6080072264c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:21:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f65cb10 holds 0x2121212121212121 instead of 0x6080046351c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:22:10.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25914])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:23:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x600008c56780 holds 0x2121212121212121 instead of 0x600006624600. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:23:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:25:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f65d7a0 holds 0x2121212121212121 instead of 0x608003a3d9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:26:21.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25923])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:27:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000785e8e0 holds 0x2121212121212121 instead of 0x600006622ba0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:29:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60801005a980 holds 0x2121212121212121 instead of 0x608001a3f8a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:30:33.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25940])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:31:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000d6588b0 holds 0x2121212121212121 instead of 0x600002a3dd60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:32:28.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:33:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60800f459990 holds 0x2121212121212121 instead of 0x60800463e7e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:33:58.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "ASL Sender Statistics",
+ "process": {
+ "name": "syslogd",
+ "pid": 46
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:34:44.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
+ "process": {
+ "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[26381])"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:35:59.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "objc[85294]: __weak variable at 0x60000be429b0 holds 0x2121212121212121 instead of 0x600003c325e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
+ "process": {
+ "name": "Google Chrome",
+ "pid": 85294
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2022-12-13T13:36:19.000-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "a-mac-with-esc-key"
+ },
+ "message": "2016-12-13 13:36:19.906 GoogleSoftwareUpdateAgent[27321/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: \u003cKSAgentSettings:0x100228060 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO\u003e",
+ "process": {
+ "name": "GoogleSoftwareUpdateAgent",
+ "pid": 27321
+ },
+ "system": {
+ "syslog": {}
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log
new file mode 100644
index 000000000..b7682f5e4
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log
@@ -0,0 +1,2 @@
+2018-08-14T14:30:02.203151+02:00 linux-sqrz systemd[4179]: Stopped target Basic System.
+2018-08-14T14:30:02.203251+02:00 linux-sqrz systemd[4179]: Stopped target Paths.
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-config.yml b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-config.yml
new file mode 100644
index 000000000..4ef513697
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-config.yml
@@ -0,0 +1,2 @@
+fields:
+ event.timezone: "GMT-0200"
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json
new file mode 100644
index 000000000..77d9520b9
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json
@@ -0,0 +1,44 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2018-08-14T10:30:02.203-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "linux-sqrz"
+ },
+ "message": "Stopped target Basic System.",
+ "process": {
+ "name": "systemd",
+ "pid": 4179
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2018-08-14T10:30:02.203-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "linux-sqrz"
+ },
+ "message": "Stopped target Paths.",
+ "process": {
+ "name": "systemd",
+ "pid": 4179
+ },
+ "system": {
+ "syslog": {}
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log
new file mode 100644
index 000000000..f7196ecbb
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log
@@ -0,0 +1,3 @@
+1986-04-26T01:23:45.101+0400 rmbkmonitor04 shutdown[2649]: shutting down for system halt
+1986-04-26T01:23:45.388424+04:00 rmbkmonitor04 thermald: constraint_0_power_limit_uw exceeded.
+2019-06-14T10:40:20.912134 localhost sudo: pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-config.yml b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-config.yml
new file mode 100644
index 000000000..999db39c2
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-config.yml
@@ -0,0 +1,3 @@
+fields:
+ event.kind: "event"
+ event.timezone: "GMT-0200"
diff --git a/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json
new file mode 100644
index 000000000..1b798f2ad
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json
@@ -0,0 +1,65 @@
+{
+ "expected": [
+ {
+ "@timestamp": "1986-04-25T19:23:45.101-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "rmbkmonitor04"
+ },
+ "message": "shutting down for system halt",
+ "process": {
+ "name": "shutdown",
+ "pid": 2649
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "1986-04-25T19:23:45.388-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "rmbkmonitor04"
+ },
+ "message": "constraint_0_power_limit_uw exceeded.",
+ "process": {
+ "name": "thermald"
+ },
+ "system": {
+ "syslog": {}
+ }
+ },
+ {
+ "@timestamp": "2019-06-14T10:40:20.912-02:00",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "kind": "event",
+ "timezone": "GMT-0200"
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)",
+ "process": {
+ "name": "sudo"
+ },
+ "system": {
+ "syslog": {}
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/syslog/agent/stream/log.yml.hbs b/test/packages/parallel/system/data_stream/syslog/agent/stream/log.yml.hbs
new file mode 100644
index 000000000..a02298caf
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/agent/stream/log.yml.hbs
@@ -0,0 +1,22 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+multiline:
+ pattern: "^\\s"
+ match: after
+processors:
+- add_locale: ~
+{{#if processors.length}}
+{{processors}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag i|}}
+- {{tag}}
+{{/each}}
+{{/if}}
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 000000000..56966e351
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,56 @@
+---
+description: Pipeline for parsing Syslog messages.
+processors:
+ - grok:
+ field: message
+ patterns:
+ - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}'
+ - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}'
+ - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}'
+ pattern_definitions:
+ GREEDYMULTILINE: |-
+ (.|
+ )*
+ ignore_missing: true
+ - remove:
+ field: message
+ - rename:
+ field: system.syslog.message
+ target_field: message
+ ignore_missing: true
+ - date:
+ if: ctx.event.timezone == null
+ field: system.syslog.timestamp
+ target_field: '@timestamp'
+ formats:
+ - MMM d HH:mm:ss
+ - MMM dd HH:mm:ss
+ - MMM d HH:mm:ss
+ - ISO8601
+ on_failure:
+ - append:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
+ - date:
+ if: ctx.event.timezone != null
+ field: system.syslog.timestamp
+ target_field: '@timestamp'
+ formats:
+ - MMM d HH:mm:ss
+ - MMM dd HH:mm:ss
+ - MMM d HH:mm:ss
+ - ISO8601
+ timezone: '{{ event.timezone }}'
+ on_failure:
+ - append:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
+ - remove:
+ field: system.syslog.timestamp
+ - set:
+ field: ecs.version
+ value: 8.0.0
+on_failure:
+ - set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/test/packages/parallel/system/data_stream/syslog/fields/agent.yml b/test/packages/parallel/system/data_stream/syslog/fields/agent.yml
new file mode 100644
index 000000000..da4e652c5
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/test/packages/parallel/system/data_stream/syslog/fields/base-fields.yml b/test/packages/parallel/system/data_stream/syslog/fields/base-fields.yml
new file mode 100644
index 000000000..c43f25683
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/fields/base-fields.yml
@@ -0,0 +1,21 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+ value: logs
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: system.syslog
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: system
diff --git a/test/packages/parallel/system/data_stream/syslog/fields/ecs.yml b/test/packages/parallel/system/data_stream/syslog/fields/ecs.yml
new file mode 100644
index 000000000..1a5ab6d19
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/fields/ecs.yml
@@ -0,0 +1,56 @@
+- external: ecs
+ name: '@timestamp'
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: event.action
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.code
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.ingested
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.module
+- external: ecs
+ name: event.outcome
+- external: ecs
+ name: event.provider
+- external: ecs
+ name: event.sequence
+- external: ecs
+ name: event.type
+- external: ecs
+ name: host.architecture
+- external: ecs
+ name: host.domain
+- external: ecs
+ name: host.hostname
+- external: ecs
+ name: host.id
+- external: ecs
+ name: host.ip
+- external: ecs
+ name: host.mac
+- external: ecs
+ name: host.name
+- external: ecs
+ name: host.os.family
+- external: ecs
+ name: host.os.full
+- external: ecs
+ name: host.os.kernel
+- external: ecs
+ name: host.os.name
+- external: ecs
+ name: host.os.platform
+- external: ecs
+ name: message
+- external: ecs
+ name: process.name
+- external: ecs
+ name: process.pid
diff --git a/test/packages/parallel/system/data_stream/syslog/fields/fields.yml b/test/packages/parallel/system/data_stream/syslog/fields/fields.yml
new file mode 100644
index 000000000..f93368693
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/fields/fields.yml
@@ -0,0 +1,2 @@
+- name: system.syslog
+ type: group
diff --git a/test/packages/parallel/system/data_stream/syslog/manifest.yml b/test/packages/parallel/system/data_stream/syslog/manifest.yml
new file mode 100644
index 000000000..f7374ee8f
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/syslog/manifest.yml
@@ -0,0 +1,42 @@
+title: System syslog logs
+type: logs
+streams:
+ - input: logfile
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ default:
+ - /var/log/messages*
+ - /var/log/syslog*
+ - /var/log/system*
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - name: ignore_older
+ type: text
+ title: Ignore events older than
+ default: 72h
+ required: false
+ show_user: false
+ description: >-
+ If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ template_path: log.yml.hbs
+ title: System syslog logs (log)
+ description: Collect System syslog logs using log input
+# Ensures agents have permissions to write data to `logs-*-*`
+elasticsearch.dynamic_dataset: true
+elasticsearch.dynamic_namespace: true
diff --git a/test/packages/parallel/system/data_stream/system/agent/stream/httpjson.yml.hbs b/test/packages/parallel/system/data_stream/system/agent/stream/httpjson.yml.hbs
new file mode 100644
index 000000000..6364f1ab6
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/system/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,107 @@
+config_version: "2"
+interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+ index_earliest:
+ value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+ - set:
+ target: url.params.search
+ value: |-
+ {{search}} | streamstats max(_indextime) AS max_indextime
+ - set:
+ target: url.params.output_mode
+ value: "json"
+ - set:
+ target: url.params.index_earliest
+ value: '[[ .cursor.index_earliest ]]'
+ default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+ - set:
+ target: url.params.index_latest
+ value: '[[(now).Unix]]'
+ - set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+ - set:
+ target: header.Authorization
+ value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+ - decode_json_fields:
+ fields: message
+ target: json
+ add_error_key: true
+ - drop_event:
+ when:
+ not:
+ has_fields: ['json.result']
+ - fingerprint:
+ fields:
+ - json.result._cd
+ - json.result._indextime
+ - json.result._raw
+ - json.result._time
+ - json.result.host
+ - json.result.source
+ target_field: "@metadata._id"
+ - drop_fields:
+ fields: message
+ - rename:
+ fields:
+ - from: json.result._raw
+ to: event.original
+ - from: json.result.host
+ to: host.name
+ - from: json.result.source
+ to: event.provider
+ ignore_missing: true
+ fail_on_error: false
+ - drop_fields:
+ fields: json
+ - decode_xml_wineventlog:
+ field: event.original
+ target_field: winlog
+ ignore_missing: true
+ ignore_failure: true
+ map_ecs_fields: true
+ - timestamp:
+ field: winlog.time_created
+ layouts:
+ - '2006-01-02T15:04:05Z'
+ - '2006-01-02T15:04:05.999Z'
+ - '2006-01-02T15:04:05.999-07:00'
+ test:
+ - '2019-06-22T16:33:51Z'
+ - '2019-11-18T04:59:51.123Z'
+ - '2020-08-03T07:10:20.123456+02:00'
diff --git a/test/packages/parallel/system/data_stream/system/agent/stream/winlog.yml.hbs b/test/packages/parallel/system/data_stream/system/agent/stream/winlog.yml.hbs
new file mode 100644
index 000000000..927c95968
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/system/agent/stream/winlog.yml.hbs
@@ -0,0 +1,24 @@
+name: System
+condition: ${host.platform} == 'windows'
+{{#if event_id}}
+event_id: {{event_id}}
+{{/if}}
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
+{{#if language}}
+language: {{language}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{/if}}
+{{#if preserve_original_event}}
+include_xml: true
+{{/if}}
+{{#if processors.length}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/parallel/system/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/test/packages/parallel/system/data_stream/system/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 000000000..9172454fd
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/system/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,13 @@
+---
+description: Pipeline for Windows System Event Logs
+processors:
+ - set:
+ field: event.ingested
+ value: '{{_ingest.timestamp}}'
+ - set:
+ field: ecs.version
+ value: 8.0.0
+on_failure:
+ - set:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/test/packages/parallel/system/data_stream/system/fields/agent.yml b/test/packages/parallel/system/data_stream/system/fields/agent.yml
new file mode 100644
index 000000000..da4e652c5
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/system/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/test/packages/parallel/system/data_stream/system/fields/base-fields.yml b/test/packages/parallel/system/data_stream/system/fields/base-fields.yml
new file mode 100644
index 000000000..567c816e1
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/system/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: system
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: system.system
diff --git a/test/packages/parallel/system/data_stream/system/fields/ecs.yml b/test/packages/parallel/system/data_stream/system/fields/ecs.yml
new file mode 100644
index 000000000..7abb6419d
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/system/fields/ecs.yml
@@ -0,0 +1,28 @@
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.action
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.code
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.ingested
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.module
+- external: ecs
+ name: event.original
+- external: ecs
+ name: event.outcome
+- external: ecs
+ name: event.provider
+- external: ecs
+ name: event.sequence
+- external: ecs
+ name: event.type
+- external: ecs
+ name: message
diff --git a/test/packages/parallel/system/data_stream/system/fields/winlog.yml b/test/packages/parallel/system/data_stream/system/fields/winlog.yml
new file mode 100644
index 000000000..adca1bbdd
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/system/fields/winlog.yml
@@ -0,0 +1,357 @@
+- name: winlog
+ type: group
+ description: >
+ All fields specific to the Windows Event Log are defined here.
+
+ fields:
+ - name: api
+ required: true
+ type: keyword
+ description: >
+ The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
+
+ - name: activity_id
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
+
+ - name: computer_name
+ type: keyword
+ required: true
+ description: >
+ The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
+
+ - name: event_data
+ type: object
+ object_type: keyword
+ required: false
+ description: >
+ The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
+
+ - name: event_data
+ type: group
+ description: >
+ This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
+
+ fields:
+ - name: AuthenticationPackageName
+ type: keyword
+ - name: Binary
+ type: keyword
+ - name: BitlockerUserInputTime
+ type: keyword
+ - name: BootMode
+ type: keyword
+ - name: BootType
+ type: keyword
+ - name: BuildVersion
+ type: keyword
+ - name: Company
+ type: keyword
+ - name: CorruptionActionState
+ type: keyword
+ - name: CreationUtcTime
+ type: keyword
+ - name: Description
+ type: keyword
+ - name: Detail
+ type: keyword
+ - name: DeviceName
+ type: keyword
+ - name: DeviceNameLength
+ type: keyword
+ - name: DeviceTime
+ type: keyword
+ - name: DeviceVersionMajor
+ type: keyword
+ - name: DeviceVersionMinor
+ type: keyword
+ - name: DriveName
+ type: keyword
+ - name: DriverName
+ type: keyword
+ - name: DriverNameLength
+ type: keyword
+ - name: DwordVal
+ type: keyword
+ - name: EntryCount
+ type: keyword
+ - name: ExtraInfo
+ type: keyword
+ - name: FailureName
+ type: keyword
+ - name: FailureNameLength
+ type: keyword
+ - name: FileVersion
+ type: keyword
+ - name: FinalStatus
+ type: keyword
+ - name: Group
+ type: keyword
+ - name: IdleImplementation
+ type: keyword
+ - name: IdleStateCount
+ type: keyword
+ - name: ImpersonationLevel
+ type: keyword
+ - name: IntegrityLevel
+ type: keyword
+ - name: IpAddress
+ type: keyword
+ - name: IpPort
+ type: keyword
+ - name: KeyLength
+ type: keyword
+ - name: LastBootGood
+ type: keyword
+ - name: LastShutdownGood
+ type: keyword
+ - name: LmPackageName
+ type: keyword
+ - name: LogonGuid
+ type: keyword
+ - name: LogonId
+ type: keyword
+ - name: LogonProcessName
+ type: keyword
+ - name: LogonType
+ type: keyword
+ - name: MajorVersion
+ type: keyword
+ - name: MaximumPerformancePercent
+ type: keyword
+ - name: MemberName
+ type: keyword
+ - name: MemberSid
+ type: keyword
+ - name: MinimumPerformancePercent
+ type: keyword
+ - name: MinimumThrottlePercent
+ type: keyword
+ - name: MinorVersion
+ type: keyword
+ - name: NewProcessId
+ type: keyword
+ - name: NewProcessName
+ type: keyword
+ - name: NewSchemeGuid
+ type: keyword
+ - name: NewTime
+ type: keyword
+ - name: NominalFrequency
+ type: keyword
+ - name: Number
+ type: keyword
+ - name: OldSchemeGuid
+ type: keyword
+ - name: OldTime
+ type: keyword
+ - name: OriginalFileName
+ type: keyword
+ - name: Path
+ type: keyword
+ - name: PerformanceImplementation
+ type: keyword
+ - name: PreviousCreationUtcTime
+ type: keyword
+ - name: PreviousTime
+ type: keyword
+ - name: PrivilegeList
+ type: keyword
+ - name: ProcessId
+ type: keyword
+ - name: ProcessName
+ type: keyword
+ - name: ProcessPath
+ type: keyword
+ - name: ProcessPid
+ type: keyword
+ - name: Product
+ type: keyword
+ - name: PuaCount
+ type: keyword
+ - name: PuaPolicyId
+ type: keyword
+ - name: QfeVersion
+ type: keyword
+ - name: Reason
+ type: keyword
+ - name: SchemaVersion
+ type: keyword
+ - name: ScriptBlockText
+ type: keyword
+ - name: ServiceName
+ type: keyword
+ - name: ServiceVersion
+ type: keyword
+ - name: ShutdownActionType
+ type: keyword
+ - name: ShutdownEventCode
+ type: keyword
+ - name: ShutdownReason
+ type: keyword
+ - name: Signature
+ type: keyword
+ - name: SignatureStatus
+ type: keyword
+ - name: Signed
+ type: keyword
+ - name: StartTime
+ type: keyword
+ - name: State
+ type: keyword
+ - name: Status
+ type: keyword
+ - name: StopTime
+ type: keyword
+ - name: SubjectDomainName
+ type: keyword
+ - name: SubjectLogonId
+ type: keyword
+ - name: SubjectUserName
+ type: keyword
+ - name: SubjectUserSid
+ type: keyword
+ - name: TSId
+ type: keyword
+ - name: TargetDomainName
+ type: keyword
+ - name: TargetInfo
+ type: keyword
+ - name: TargetLogonGuid
+ type: keyword
+ - name: TargetLogonId
+ type: keyword
+ - name: TargetServerName
+ type: keyword
+ - name: TargetUserName
+ type: keyword
+ - name: TargetUserSid
+ type: keyword
+ - name: TerminalSessionId
+ type: keyword
+ - name: TokenElevationType
+ type: keyword
+ - name: TransmittedServices
+ type: keyword
+ - name: UserSid
+ type: keyword
+ - name: Version
+ type: keyword
+ - name: Workstation
+ type: keyword
+ - name: param1
+ type: keyword
+ - name: param2
+ type: keyword
+ - name: param3
+ type: keyword
+ - name: param4
+ type: keyword
+ - name: param5
+ type: keyword
+ - name: param6
+ type: keyword
+ - name: param7
+ type: keyword
+ - name: param8
+ type: keyword
+ - name: event_id
+ type: keyword
+ required: true
+ description: >
+ The event identifier. The value is specific to the source of the event.
+
+ - name: keywords
+ type: keyword
+ required: false
+ description: >
+ The keywords are used to classify an event.
+
+ - name: channel
+ type: keyword
+ required: true
+ description: >
+ The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
+
+ - name: record_id
+ type: keyword
+ required: true
+ description: >
+ The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
+
+ - name: related_activity_id
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
+
+ - name: opcode
+ type: keyword
+ required: false
+ description: >
+ The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
+
+ - name: provider_guid
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the provider that logged the event.
+
+ - name: process.pid
+ type: long
+ required: false
+ description: >
+ The process_id of the Client Server Runtime Process.
+
+ - name: provider_name
+ type: keyword
+ required: true
+ description: >
+ The source of the event log record (the application or service that logged the record).
+
+ - name: task
+ type: keyword
+ required: false
+ description: >
+ The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
+
+ - name: process.thread.id
+ type: long
+ required: false
+ - name: user_data
+ type: object
+ object_type: keyword
+ required: false
+ description: >
+ The event specific data. This field is mutually exclusive with `event_data`.
+
+ - name: user.identifier
+ type: keyword
+ required: false
+ example: S-1-5-21-3541430928-2051711210-1391384369-1001
+ description: >
+ The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
+
+ - name: user.name
+ type: keyword
+ description: >
+ Name of the user associated with this event.
+
+ - name: user.domain
+ type: keyword
+ required: false
+ description: >
+ The domain that the account associated with this event is a member of.
+
+ - name: user.type
+ type: keyword
+ required: false
+ description: >
+ The type of account associated with this event.
+
+ - name: version
+ type: long
+ required: false
+ description: The version number of the event's definition.
diff --git a/test/packages/parallel/system/data_stream/system/manifest.yml b/test/packages/parallel/system/data_stream/system/manifest.yml
new file mode 100644
index 000000000..427b39c5f
--- /dev/null
+++ b/test/packages/parallel/system/data_stream/system/manifest.yml
@@ -0,0 +1,80 @@
+type: logs
+title: Windows System Events
+streams:
+ - input: winlog
+ template_path: winlog.yml.hbs
+ title: System
+ description: 'Collect Windows system logs'
+ vars:
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: >-
+ Preserves a raw copy of the original XML event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: event_id
+ type: text
+ title: Event ID
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.
+ - name: ignore_older
+ type: text
+ title: Ignore events older than
+ default: 72h
+ required: false
+ show_user: false
+ description: >-
+ If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ - name: language
+ type: text
+ title: Language ID
+ description: >-
+ The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US
+ required: false
+ show_user: false
+ default: 0
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - input: httpjson
+ title: Windows System Events via Splunk Enterprise REST API
+ description: Collect System Events via Splunk Enterprise REST API
+ enabled: false
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval to query Splunk Enterprise REST API
+ description: Go Duration syntax (eg. 10s)
+ show_user: true
+ required: true
+ default: 10s
+ - name: search
+ type: text
+ title: Splunk search string
+ show_user: false
+ required: true
+ default: "search sourcetype=\"XmlWinEventLog:System\""
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
diff --git a/test/packages/parallel/system/docs/README.md b/test/packages/parallel/system/docs/README.md
new file mode 100644
index 000000000..1606a3aac
--- /dev/null
+++ b/test/packages/parallel/system/docs/README.md
@@ -0,0 +1,1412 @@
+# System Integration
+
+The System integration allows you to monitor servers, personal computers, and more.
+
+Use the System integration to collect metrics and logs from your machines.
+Then visualize that data in Kibana, create alerts to notify you if something goes wrong,
+and reference data when troubleshooting an issue.
+
+For example, if you wanted to be notified when less than 10% of the disk space is still available, you
+could install the System integration to send file system metrics to Elastic.
+Then, you could view real-time updates to disk space used on your system in Kibana's _[Metrics System] Overview_ dashboard.
+You could also set up a new rule in the Elastic Observability Metrics app to alert you when the percent free is
+less than 10% of the total disk space.
+
+## Data streams
+
+The System integration collects two types of data: logs and metrics.
+
+**Logs** help you keep a record of events that happen on your machine.
+Log data streams collected by the System integration include application, system, and security events on
+machines running Windows and auth and syslog events on machines running macOS or Linux.
+See more details in the [Logs reference](#logs-reference).
+
+**Metrics** give you insight into the state of the machine.
+Metric data streams collected by the System integration include CPU usage, load statistics, memory usage,
+information on network behavior, and more.
+See more details in the [Metrics reference](#metrics-reference).
+
+You can enable and disable individual data streams. If _all_ data streams are disabled and the System integration
+is still enabled, Fleet uses the default data streams.
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
+You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+Each data stream collects different kinds of metric data, which may require dedicated permissions
+to be fetched and which may vary across operating systems.
+Details on the permissions needed for each data stream are available in the [Metrics reference](#metrics-reference).
+
+## Setup
+
+For step-by-step instructions on how to set up an integration, see the
+[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide.
+
+## Troubleshooting
+
+Note that certain data streams may access `/proc` to gather process information,
+and the resulting `ptrace_may_access()` call by the kernel to check for
+permissions can be blocked by
+[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly.
+
+In addition, when running inside a container the proc filesystem directory of the host
+should be set using `system.hostfs` setting to `/hostfs`.
+
+### Windows Event ID clause limit
+
+If you specify more than 22 query conditions (event IDs or event ID ranges), some
+versions of Windows will prevent the integration from reading the event log due to
+limits in the query system. If this occurs, a similar warning as shown below:
+
+```
+The specified query is invalid.
+```
+
+In some cases, the limit may be lower than 22 conditions. For instance, using a
+mixture of ranges and single event IDs, along with an additional parameter such
+as `ignore older`, results in a limit of 21 conditions.
+
+If you have more than 22 conditions, you can work around this Windows limitation
+by using a drop_event processor to do the filtering after filebeat has received
+the events from Windows. The filter shown below is equivalent to
+`event_id: 903, 1024, 2000-2004, 4624` but can be expanded beyond 22 event IDs.
+
+```yaml
+- drop_event.when.not.or:
+ - equals.winlog.event_id: "903"
+ - equals.winlog.event_id: "1024"
+ - equals.winlog.event_id: "4624"
+ - range:
+ winlog.event_id.gte: 2000
+ winlog.event_id.lte: 2004
+```
+
+## Logs reference
+
+### Application
+
+The Windows `application` data stream provides events from the Windows
+`Application` event log.
+
+#### Supported operating systems
+
+- Windows
+
+**Exported fields**
+
+(no fields available)
+
+
+### System
+
+The Windows `system` data stream provides events from the Windows `System`
+event log.
+
+#### Supported operating systems
+
+- Windows
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset. | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
+| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
+| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |
+| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword |
+| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object |
+| winlog.event_data.AuthenticationPackageName | | keyword |
+| winlog.event_data.Binary | | keyword |
+| winlog.event_data.BitlockerUserInputTime | | keyword |
+| winlog.event_data.BootMode | | keyword |
+| winlog.event_data.BootType | | keyword |
+| winlog.event_data.BuildVersion | | keyword |
+| winlog.event_data.Company | | keyword |
+| winlog.event_data.CorruptionActionState | | keyword |
+| winlog.event_data.CreationUtcTime | | keyword |
+| winlog.event_data.Description | | keyword |
+| winlog.event_data.Detail | | keyword |
+| winlog.event_data.DeviceName | | keyword |
+| winlog.event_data.DeviceNameLength | | keyword |
+| winlog.event_data.DeviceTime | | keyword |
+| winlog.event_data.DeviceVersionMajor | | keyword |
+| winlog.event_data.DeviceVersionMinor | | keyword |
+| winlog.event_data.DriveName | | keyword |
+| winlog.event_data.DriverName | | keyword |
+| winlog.event_data.DriverNameLength | | keyword |
+| winlog.event_data.DwordVal | | keyword |
+| winlog.event_data.EntryCount | | keyword |
+| winlog.event_data.ExtraInfo | | keyword |
+| winlog.event_data.FailureName | | keyword |
+| winlog.event_data.FailureNameLength | | keyword |
+| winlog.event_data.FileVersion | | keyword |
+| winlog.event_data.FinalStatus | | keyword |
+| winlog.event_data.Group | | keyword |
+| winlog.event_data.IdleImplementation | | keyword |
+| winlog.event_data.IdleStateCount | | keyword |
+| winlog.event_data.ImpersonationLevel | | keyword |
+| winlog.event_data.IntegrityLevel | | keyword |
+| winlog.event_data.IpAddress | | keyword |
+| winlog.event_data.IpPort | | keyword |
+| winlog.event_data.KeyLength | | keyword |
+| winlog.event_data.LastBootGood | | keyword |
+| winlog.event_data.LastShutdownGood | | keyword |
+| winlog.event_data.LmPackageName | | keyword |
+| winlog.event_data.LogonGuid | | keyword |
+| winlog.event_data.LogonId | | keyword |
+| winlog.event_data.LogonProcessName | | keyword |
+| winlog.event_data.LogonType | | keyword |
+| winlog.event_data.MajorVersion | | keyword |
+| winlog.event_data.MaximumPerformancePercent | | keyword |
+| winlog.event_data.MemberName | | keyword |
+| winlog.event_data.MemberSid | | keyword |
+| winlog.event_data.MinimumPerformancePercent | | keyword |
+| winlog.event_data.MinimumThrottlePercent | | keyword |
+| winlog.event_data.MinorVersion | | keyword |
+| winlog.event_data.NewProcessId | | keyword |
+| winlog.event_data.NewProcessName | | keyword |
+| winlog.event_data.NewSchemeGuid | | keyword |
+| winlog.event_data.NewTime | | keyword |
+| winlog.event_data.NominalFrequency | | keyword |
+| winlog.event_data.Number | | keyword |
+| winlog.event_data.OldSchemeGuid | | keyword |
+| winlog.event_data.OldTime | | keyword |
+| winlog.event_data.OriginalFileName | | keyword |
+| winlog.event_data.Path | | keyword |
+| winlog.event_data.PerformanceImplementation | | keyword |
+| winlog.event_data.PreviousCreationUtcTime | | keyword |
+| winlog.event_data.PreviousTime | | keyword |
+| winlog.event_data.PrivilegeList | | keyword |
+| winlog.event_data.ProcessId | | keyword |
+| winlog.event_data.ProcessName | | keyword |
+| winlog.event_data.ProcessPath | | keyword |
+| winlog.event_data.ProcessPid | | keyword |
+| winlog.event_data.Product | | keyword |
+| winlog.event_data.PuaCount | | keyword |
+| winlog.event_data.PuaPolicyId | | keyword |
+| winlog.event_data.QfeVersion | | keyword |
+| winlog.event_data.Reason | | keyword |
+| winlog.event_data.SchemaVersion | | keyword |
+| winlog.event_data.ScriptBlockText | | keyword |
+| winlog.event_data.ServiceName | | keyword |
+| winlog.event_data.ServiceVersion | | keyword |
+| winlog.event_data.ShutdownActionType | | keyword |
+| winlog.event_data.ShutdownEventCode | | keyword |
+| winlog.event_data.ShutdownReason | | keyword |
+| winlog.event_data.Signature | | keyword |
+| winlog.event_data.SignatureStatus | | keyword |
+| winlog.event_data.Signed | | keyword |
+| winlog.event_data.StartTime | | keyword |
+| winlog.event_data.State | | keyword |
+| winlog.event_data.Status | | keyword |
+| winlog.event_data.StopTime | | keyword |
+| winlog.event_data.SubjectDomainName | | keyword |
+| winlog.event_data.SubjectLogonId | | keyword |
+| winlog.event_data.SubjectUserName | | keyword |
+| winlog.event_data.SubjectUserSid | | keyword |
+| winlog.event_data.TSId | | keyword |
+| winlog.event_data.TargetDomainName | | keyword |
+| winlog.event_data.TargetInfo | | keyword |
+| winlog.event_data.TargetLogonGuid | | keyword |
+| winlog.event_data.TargetLogonId | | keyword |
+| winlog.event_data.TargetServerName | | keyword |
+| winlog.event_data.TargetUserName | | keyword |
+| winlog.event_data.TargetUserSid | | keyword |
+| winlog.event_data.TerminalSessionId | | keyword |
+| winlog.event_data.TokenElevationType | | keyword |
+| winlog.event_data.TransmittedServices | | keyword |
+| winlog.event_data.UserSid | | keyword |
+| winlog.event_data.Version | | keyword |
+| winlog.event_data.Workstation | | keyword |
+| winlog.event_data.param1 | | keyword |
+| winlog.event_data.param2 | | keyword |
+| winlog.event_data.param3 | | keyword |
+| winlog.event_data.param4 | | keyword |
+| winlog.event_data.param5 | | keyword |
+| winlog.event_data.param6 | | keyword |
+| winlog.event_data.param7 | | keyword |
+| winlog.event_data.param8 | | keyword |
+| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword |
+| winlog.keywords | The keywords are used to classify an event. | keyword |
+| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword |
+| winlog.process.pid | The process_id of the Client Server Runtime Process. | long |
+| winlog.process.thread.id | | long |
+| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword |
+| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword |
+| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword |
+| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword |
+| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword |
+| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword |
+| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword |
+| winlog.user.name | Name of the user associated with this event. | keyword |
+| winlog.user.type | The type of account associated with this event. | keyword |
+| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object |
+| winlog.version | The version number of the event's definition. | long |
+
+
+
+### Security
+
+The Windows `security` data stream provides events from the Windows
+`Security` event log.
+
+#### Supported operating systems
+
+- Windows
+
+An example event for `security` looks as following:
+
+```json
+{
+ "@timestamp": "2019-11-07T10:37:04.226Z",
+ "agent": {
+ "ephemeral_id": "aa973fb6-b8fe-427e-a9e9-51c411926db8",
+ "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.1"
+ },
+ "data_stream": {
+ "dataset": "system.security",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6",
+ "snapshot": true,
+ "version": "8.2.1"
+ },
+ "event": {
+ "action": "logging-service-shutdown",
+ "agent_id_status": "verified",
+ "category": [
+ "process"
+ ],
+ "code": "1100",
+ "created": "2022-05-18T06:07:07.204Z",
+ "dataset": "system.security",
+ "ingested": "2022-05-18T06:07:08Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/\u003e\u003cEventID\u003e1100\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x4020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-11-07T10:37:04.226092500Z'/\u003e\u003cEventRecordID\u003e14257\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1144' ThreadID='4532'/\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eWIN-41OB2LO92CR.wlbeat.local\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cUserData\u003e\u003cServiceShutdown xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'\u003e\u003c/ServiceShutdown\u003e\u003c/UserData\u003e\u003c/Event\u003e",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Eventlog",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "WIN-41OB2LO92CR.wlbeat.local"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "information"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ],
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+ "event_id": "1100",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 1144,
+ "thread": {
+ "id": 4532
+ }
+ },
+ "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
+ "provider_name": "Microsoft-Windows-Eventlog",
+ "record_id": "14257",
+ "time_created": "2019-11-07T10:37:04.226Z"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.code | Error code describing the error. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset. | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.target_path | Target path for symlinks. | keyword |
+| file.target_path.text | Multi-field of `file.target_path`. | match_only_text |
+| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| group.id | Unique identifier for the group on the system/platform. | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text |
+| process.parent.pid | Process id. | long |
+| process.pid | Process id. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.title.text | Multi-field of `process.title`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| user.changes.name | Short name or login of the user. | keyword |
+| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.effective.id | Unique identifier of the user. | keyword |
+| user.effective.name | Short name or login of the user. | keyword |
+| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.target.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.id | Unique identifier of the user. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
+| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
+| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |
+| winlog.computerObject.domain | | keyword |
+| winlog.computerObject.id | | keyword |
+| winlog.computerObject.name | | keyword |
+| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword |
+| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object |
+| winlog.event_data.AccessGranted | | keyword |
+| winlog.event_data.AccessList | | keyword |
+| winlog.event_data.AccessListDescription | | keyword |
+| winlog.event_data.AccessMask | | keyword |
+| winlog.event_data.AccessMaskDescription | | keyword |
+| winlog.event_data.AccessReason | | keyword |
+| winlog.event_data.AccessRemoved | | keyword |
+| winlog.event_data.AccountDomain | | keyword |
+| winlog.event_data.AccountExpires | | keyword |
+| winlog.event_data.AccountName | | keyword |
+| winlog.event_data.AllowedToDelegateTo | | keyword |
+| winlog.event_data.AuditPolicyChanges | | keyword |
+| winlog.event_data.AuditPolicyChangesDescription | | keyword |
+| winlog.event_data.AuditSourceName | | keyword |
+| winlog.event_data.AuthenticationPackageName | | keyword |
+| winlog.event_data.Binary | | keyword |
+| winlog.event_data.BitlockerUserInputTime | | keyword |
+| winlog.event_data.BootMode | | keyword |
+| winlog.event_data.BootType | | keyword |
+| winlog.event_data.BuildVersion | | keyword |
+| winlog.event_data.CallerProcessId | | keyword |
+| winlog.event_data.CallerProcessName | | keyword |
+| winlog.event_data.Category | | keyword |
+| winlog.event_data.CategoryId | | keyword |
+| winlog.event_data.ClientAddress | | keyword |
+| winlog.event_data.ClientName | | keyword |
+| winlog.event_data.ClientProcessId | | keyword |
+| winlog.event_data.CommandLine | | keyword |
+| winlog.event_data.Company | | keyword |
+| winlog.event_data.ComputerAccountChange | | keyword |
+| winlog.event_data.CorruptionActionState | | keyword |
+| winlog.event_data.CountOfCredentialsReturned | | keyword |
+| winlog.event_data.CrashOnAuditFailValue | | keyword |
+| winlog.event_data.CreationUtcTime | | keyword |
+| winlog.event_data.Description | | keyword |
+| winlog.event_data.Detail | | keyword |
+| winlog.event_data.DeviceName | | keyword |
+| winlog.event_data.DeviceNameLength | | keyword |
+| winlog.event_data.DeviceTime | | keyword |
+| winlog.event_data.DeviceVersionMajor | | keyword |
+| winlog.event_data.DeviceVersionMinor | | keyword |
+| winlog.event_data.DisplayName | | keyword |
+| winlog.event_data.DnsHostName | | keyword |
+| winlog.event_data.DomainBehaviorVersion | | keyword |
+| winlog.event_data.DomainName | | keyword |
+| winlog.event_data.DomainPolicyChanged | | keyword |
+| winlog.event_data.DomainSid | | keyword |
+| winlog.event_data.DriveName | | keyword |
+| winlog.event_data.DriverName | | keyword |
+| winlog.event_data.DriverNameLength | | keyword |
+| winlog.event_data.Dummy | | keyword |
+| winlog.event_data.DwordVal | | keyword |
+| winlog.event_data.EntryCount | | keyword |
+| winlog.event_data.EventSourceId | | keyword |
+| winlog.event_data.ExtraInfo | | keyword |
+| winlog.event_data.FailureName | | keyword |
+| winlog.event_data.FailureNameLength | | keyword |
+| winlog.event_data.FailureReason | | keyword |
+| winlog.event_data.FileVersion | | keyword |
+| winlog.event_data.FinalStatus | | keyword |
+| winlog.event_data.Flags | | keyword |
+| winlog.event_data.Group | | keyword |
+| winlog.event_data.GroupTypeChange | | keyword |
+| winlog.event_data.HandleId | | keyword |
+| winlog.event_data.HomeDirectory | | keyword |
+| winlog.event_data.HomePath | | keyword |
+| winlog.event_data.Identity | | keyword |
+| winlog.event_data.IdleImplementation | | keyword |
+| winlog.event_data.IdleStateCount | | keyword |
+| winlog.event_data.ImpersonationLevel | | keyword |
+| winlog.event_data.IntegrityLevel | | keyword |
+| winlog.event_data.IpAddress | | keyword |
+| winlog.event_data.IpPort | | keyword |
+| winlog.event_data.KerberosPolicyChange | | keyword |
+| winlog.event_data.KeyLength | | keyword |
+| winlog.event_data.LastBootGood | | keyword |
+| winlog.event_data.LastShutdownGood | | keyword |
+| winlog.event_data.LmPackageName | | keyword |
+| winlog.event_data.LogonGuid | | keyword |
+| winlog.event_data.LogonHours | | keyword |
+| winlog.event_data.LogonID | | keyword |
+| winlog.event_data.LogonId | | keyword |
+| winlog.event_data.LogonProcessName | | keyword |
+| winlog.event_data.LogonType | | keyword |
+| winlog.event_data.MachineAccountQuota | | keyword |
+| winlog.event_data.MajorVersion | | keyword |
+| winlog.event_data.MandatoryLabel | | keyword |
+| winlog.event_data.MaximumPerformancePercent | | keyword |
+| winlog.event_data.MemberName | | keyword |
+| winlog.event_data.MemberSid | | keyword |
+| winlog.event_data.MinimumPerformancePercent | | keyword |
+| winlog.event_data.MinimumThrottlePercent | | keyword |
+| winlog.event_data.MinorVersion | | keyword |
+| winlog.event_data.MixedDomainMode | | keyword |
+| winlog.event_data.NewProcessId | | keyword |
+| winlog.event_data.NewProcessName | | keyword |
+| winlog.event_data.NewSchemeGuid | | keyword |
+| winlog.event_data.NewSd | | keyword |
+| winlog.event_data.NewSdDacl0 | | keyword |
+| winlog.event_data.NewSdDacl1 | | keyword |
+| winlog.event_data.NewSdDacl2 | | keyword |
+| winlog.event_data.NewSdSacl0 | | keyword |
+| winlog.event_data.NewSdSacl1 | | keyword |
+| winlog.event_data.NewSdSacl2 | | keyword |
+| winlog.event_data.NewTargetUserName | | keyword |
+| winlog.event_data.NewTime | | keyword |
+| winlog.event_data.NewUACList | | keyword |
+| winlog.event_data.NewUacValue | | keyword |
+| winlog.event_data.NominalFrequency | | keyword |
+| winlog.event_data.Number | | keyword |
+| winlog.event_data.ObjectName | | keyword |
+| winlog.event_data.ObjectServer | | keyword |
+| winlog.event_data.ObjectType | | keyword |
+| winlog.event_data.OemInformation | | keyword |
+| winlog.event_data.OldSchemeGuid | | keyword |
+| winlog.event_data.OldSd | | keyword |
+| winlog.event_data.OldSdDacl0 | | keyword |
+| winlog.event_data.OldSdDacl1 | | keyword |
+| winlog.event_data.OldSdDacl2 | | keyword |
+| winlog.event_data.OldSdSacl0 | | keyword |
+| winlog.event_data.OldSdSacl1 | | keyword |
+| winlog.event_data.OldSdSacl2 | | keyword |
+| winlog.event_data.OldTargetUserName | | keyword |
+| winlog.event_data.OldTime | | keyword |
+| winlog.event_data.OldUacValue | | keyword |
+| winlog.event_data.OriginalFileName | | keyword |
+| winlog.event_data.PackageName | | keyword |
+| winlog.event_data.ParentProcessName | | keyword |
+| winlog.event_data.PasswordHistoryLength | | keyword |
+| winlog.event_data.PasswordLastSet | | keyword |
+| winlog.event_data.Path | | keyword |
+| winlog.event_data.PerformanceImplementation | | keyword |
+| winlog.event_data.PreAuthType | | keyword |
+| winlog.event_data.PreviousCreationUtcTime | | keyword |
+| winlog.event_data.PreviousTime | | keyword |
+| winlog.event_data.PrimaryGroupId | | keyword |
+| winlog.event_data.PrivilegeList | | keyword |
+| winlog.event_data.ProcessCreationTime | | keyword |
+| winlog.event_data.ProcessId | | keyword |
+| winlog.event_data.ProcessName | | keyword |
+| winlog.event_data.ProcessPath | | keyword |
+| winlog.event_data.ProcessPid | | keyword |
+| winlog.event_data.Product | | keyword |
+| winlog.event_data.ProfilePath | | keyword |
+| winlog.event_data.PuaCount | | keyword |
+| winlog.event_data.PuaPolicyId | | keyword |
+| winlog.event_data.QfeVersion | | keyword |
+| winlog.event_data.ReadOperation | | keyword |
+| winlog.event_data.Reason | | keyword |
+| winlog.event_data.RelativeTargetName | | keyword |
+| winlog.event_data.Resource | | keyword |
+| winlog.event_data.ResourceAttributes | | keyword |
+| winlog.event_data.ReturnCode | | keyword |
+| winlog.event_data.SamAccountName | | keyword |
+| winlog.event_data.Schema | | keyword |
+| winlog.event_data.SchemaFriendlyName | | keyword |
+| winlog.event_data.SchemaVersion | | keyword |
+| winlog.event_data.ScriptBlockText | | keyword |
+| winlog.event_data.ScriptPath | | keyword |
+| winlog.event_data.SearchString | | keyword |
+| winlog.event_data.Service | | keyword |
+| winlog.event_data.ServiceAccount | | keyword |
+| winlog.event_data.ServiceFileName | | keyword |
+| winlog.event_data.ServiceName | | keyword |
+| winlog.event_data.ServicePrincipalNames | | keyword |
+| winlog.event_data.ServiceSid | | keyword |
+| winlog.event_data.ServiceStartType | | keyword |
+| winlog.event_data.ServiceType | | keyword |
+| winlog.event_data.ServiceVersion | | keyword |
+| winlog.event_data.SessionName | | keyword |
+| winlog.event_data.ShareLocalPath | | keyword |
+| winlog.event_data.ShareName | | keyword |
+| winlog.event_data.ShutdownActionType | | keyword |
+| winlog.event_data.ShutdownEventCode | | keyword |
+| winlog.event_data.ShutdownReason | | keyword |
+| winlog.event_data.SidFilteringEnabled | | keyword |
+| winlog.event_data.SidHistory | | keyword |
+| winlog.event_data.Signature | | keyword |
+| winlog.event_data.SignatureStatus | | keyword |
+| winlog.event_data.Signed | | keyword |
+| winlog.event_data.StartTime | | keyword |
+| winlog.event_data.State | | keyword |
+| winlog.event_data.Status | | keyword |
+| winlog.event_data.StatusDescription | | keyword |
+| winlog.event_data.StopTime | | keyword |
+| winlog.event_data.SubCategory | | keyword |
+| winlog.event_data.SubCategoryGuid | | keyword |
+| winlog.event_data.SubCategoryId | | keyword |
+| winlog.event_data.SubStatus | | keyword |
+| winlog.event_data.SubcategoryGuid | | keyword |
+| winlog.event_data.SubcategoryId | | keyword |
+| winlog.event_data.SubjectDomainName | | keyword |
+| winlog.event_data.SubjectLogonId | | keyword |
+| winlog.event_data.SubjectUserName | | keyword |
+| winlog.event_data.SubjectUserSid | | keyword |
+| winlog.event_data.TSId | | keyword |
+| winlog.event_data.TargetDomainName | | keyword |
+| winlog.event_data.TargetInfo | | keyword |
+| winlog.event_data.TargetLogonGuid | | keyword |
+| winlog.event_data.TargetLogonId | | keyword |
+| winlog.event_data.TargetName | | keyword |
+| winlog.event_data.TargetServerName | | keyword |
+| winlog.event_data.TargetSid | | keyword |
+| winlog.event_data.TargetUserName | | keyword |
+| winlog.event_data.TargetUserSid | | keyword |
+| winlog.event_data.TdoAttributes | | keyword |
+| winlog.event_data.TdoDirection | | keyword |
+| winlog.event_data.TdoType | | keyword |
+| winlog.event_data.TerminalSessionId | | keyword |
+| winlog.event_data.TicketEncryptionType | | keyword |
+| winlog.event_data.TicketEncryptionTypeDescription | | keyword |
+| winlog.event_data.TicketOptions | | keyword |
+| winlog.event_data.TicketOptionsDescription | | keyword |
+| winlog.event_data.TokenElevationType | | keyword |
+| winlog.event_data.TransmittedServices | | keyword |
+| winlog.event_data.Type | | keyword |
+| winlog.event_data.UserAccountControl | | keyword |
+| winlog.event_data.UserParameters | | keyword |
+| winlog.event_data.UserPrincipalName | | keyword |
+| winlog.event_data.UserSid | | keyword |
+| winlog.event_data.UserWorkstations | | keyword |
+| winlog.event_data.Version | | keyword |
+| winlog.event_data.Workstation | | keyword |
+| winlog.event_data.WorkstationName | | keyword |
+| winlog.event_data.param1 | | keyword |
+| winlog.event_data.param2 | | keyword |
+| winlog.event_data.param3 | | keyword |
+| winlog.event_data.param4 | | keyword |
+| winlog.event_data.param5 | | keyword |
+| winlog.event_data.param6 | | keyword |
+| winlog.event_data.param7 | | keyword |
+| winlog.event_data.param8 | | keyword |
+| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword |
+| winlog.keywords | The keywords are used to classify an event. | keyword |
+| winlog.level | The event severity. Levels are Critical, Error, Warning and Information, Verbose | keyword |
+| winlog.logon.failure.reason | The reason the logon failed. | keyword |
+| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword |
+| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword |
+| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword |
+| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword |
+| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword |
+| winlog.outcome | Success or Failure of the event. | keyword |
+| winlog.process.pid | The process_id of the Client Server Runtime Process. | long |
+| winlog.process.thread.id | | long |
+| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword |
+| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword |
+| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword |
+| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword |
+| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword |
+| winlog.time_created | Time event was created | date |
+| winlog.trustAttribute | | keyword |
+| winlog.trustDirection | | keyword |
+| winlog.trustType | | keyword |
+| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword |
+| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword |
+| winlog.user.name | Name of the user associated with this event. | keyword |
+| winlog.user.type | The type of account associated with this event. | keyword |
+| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object |
+| winlog.user_data.BackupPath | | keyword |
+| winlog.user_data.Channel | | keyword |
+| winlog.user_data.SubjectDomainName | | keyword |
+| winlog.user_data.SubjectLogonId | | keyword |
+| winlog.user_data.SubjectUserName | | keyword |
+| winlog.user_data.SubjectUserSid | | keyword |
+| winlog.user_data.xml_name | | keyword |
+| winlog.version | The version number of the event's definition. | long |
+
+
+### Auth
+
+The `auth` data stream provides auth logs.
+
+#### Supported operating systems
+
+- macOS prior to 10.8
+- Linux
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset. | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| group.id | Unique identifier for the group on the system/platform. | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.full | Operating system name, including the version or code name. | keyword |
+| host.os.full.text | Multi-field of `host.os.full`. | match_only_text |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| system.auth.ssh.dropped_ip | The client IP from SSH connections that are open and immediately dropped. | ip |
+| system.auth.ssh.event | The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) | keyword |
+| system.auth.ssh.method | The SSH authentication method. Can be one of "password" or "publickey". | keyword |
+| system.auth.ssh.signature | The signature of the client public key. | keyword |
+| system.auth.sudo.command | The command executed via sudo. | keyword |
+| system.auth.sudo.error | The error message in case the sudo command failed. | keyword |
+| system.auth.sudo.pwd | The current directory where the sudo command is executed. | keyword |
+| system.auth.sudo.tty | The TTY where the sudo command is executed. | keyword |
+| system.auth.sudo.user | The target user to which the sudo command is switching. | keyword |
+| system.auth.useradd.home | The home folder for the new user. | keyword |
+| system.auth.useradd.shell | The default shell for the new user. | keyword |
+| user.effective.name | Short name or login of the user. | keyword |
+| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| version | Operating system version as a raw string. | keyword |
+
+
+### syslog
+
+The `syslog` data stream provides system logs.
+
+#### Supported operating systems
+
+- macOS
+- Linux
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset. | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.full | Operating system name, including the version or code name. | keyword |
+| host.os.full.text | Multi-field of `host.os.full`. | match_only_text |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+
+
+## Metrics reference
+
+### Core
+
+The System `core` data stream provides usage statistics for each CPU core.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### CPU
+
+The System `cpu` data stream provides CPU statistics.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Disk IO
+
+The System `diskio` data stream provides disk IO metrics collected from the
+operating system. One event is created for each disk mounted on the system.
+
+#### Supported operating systems
+
+- Linux
+- macOS (requires 10.10+)
+- Windows
+- FreeBSD (amd64)
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Filesystem
+
+The System `filesystem` data stream provides file system statistics. For each file
+system, one document is provided.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Fsstat
+
+The System `fsstat` data stream provides overall file system statistics.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Load
+
+The System `load` data stream provides load statistics.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Memory
+
+The System `memory` data stream provides memory statistics.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- OpenBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Network
+
+The System `network` data stream provides network IO metrics collected from the
+operating system. One event is created for each network interface.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Process
+
+The System `process` data stream provides process statistics. One document is
+provided for each process.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- Windows
+
+#### Permissions
+
+Process execution data should be available for an authorized user.
+If running as less privileged user, it may not be able to read process data belonging to other users.
+
+**Exported fields**
+
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| event.dataset | Event dataset. | constant_keyword | | |
+| event.module | Event module | constant_keyword | | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.full | Operating system name, including the version or code name. | keyword | | |
+| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | |
+| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | | |
+| process.cpu.start_time | The time when the process was started. | date | | |
+| process.executable | Absolute path to the process executable. | keyword | | |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text | | |
+| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | | |
+| process.name | Process name. Sometimes called program name or similar. | keyword | | |
+| process.name.text | Multi-field of `process.name`. | match_only_text | | |
+| process.parent.pid | Process id. | long | | |
+| process.pgid | Identifier of the group of processes the process belongs to. | long | | |
+| process.pid | Process id. | long | | |
+| process.state | The process state. For example: "running". | keyword | | |
+| process.working_directory | The working directory of the process. | keyword | | |
+| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
+| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | | |
+| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | | |
+| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | | |
+| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | | |
+| system.process.cgroup.cgroups_version | The version of cgroups reported for the process | long | | |
+| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | | |
+| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | | |
+| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | | |
+| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | | |
+| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | | |
+| system.process.cgroup.cpu.pressure.full.10.pct | Pressure over 10 seconds | float | | |
+| system.process.cgroup.cpu.pressure.full.300.pct | Pressure over 300 seconds | float | | |
+| system.process.cgroup.cpu.pressure.full.60.pct | Pressure over 60 seconds | float | | |
+| system.process.cgroup.cpu.pressure.full.total | total Full pressure time | long | | |
+| system.process.cgroup.cpu.pressure.some.10.pct | Pressure over 10 seconds | float | | |
+| system.process.cgroup.cpu.pressure.some.300.pct | Pressure over 300 seconds | float | | |
+| system.process.cgroup.cpu.pressure.some.60.pct | Pressure over 60 seconds | float | | |
+| system.process.cgroup.cpu.pressure.some.total | total Some pressure time | long | | |
+| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | | |
+| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | | |
+| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | | |
+| system.process.cgroup.cpu.stats.system.norm.pct | cgroups v2 normalized system time | float | | |
+| system.process.cgroup.cpu.stats.system.ns | cgroups v2 system time in nanoseconds | long | | |
+| system.process.cgroup.cpu.stats.system.pct | cgroups v2 system time | float | | |
+| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | | |
+| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | | |
+| system.process.cgroup.cpu.stats.throttled.us | The total time duration (in microseconds) for which tasks in a cgroup have been throttled, as reported by cgroupsv2 | long | | |
+| system.process.cgroup.cpu.stats.usage.norm.pct | cgroups v2 normalized usage | float | | |
+| system.process.cgroup.cpu.stats.usage.ns | cgroups v2 usage in nanoseconds | long | | |
+| system.process.cgroup.cpu.stats.usage.pct | cgroups v2 usage | float | | |
+| system.process.cgroup.cpu.stats.user.norm.pct | cgroups v2 normalized cpu user time | float | | |
+| system.process.cgroup.cpu.stats.user.ns | cgroups v2 cpu user time in nanoseconds | long | | |
+| system.process.cgroup.cpu.stats.user.pct | cgroups v2 cpu user time | float | | |
+| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | | |
+| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | | |
+| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | | |
+| system.process.cgroup.cpuacct.stats.system.norm.pct | Time the cgroup spent in kernel space, as a percentage of total CPU time, normalized by CPU count. | scaled_float | | |
+| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | | |
+| system.process.cgroup.cpuacct.stats.system.pct | Time the cgroup spent in kernel space, as a percentage of total CPU time | scaled_float | | |
+| system.process.cgroup.cpuacct.stats.user.norm.pct | time the cgroup spent in user space, as a percentage of total CPU time, normalized by CPU count. | scaled_float | | |
+| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | | |
+| system.process.cgroup.cpuacct.stats.user.pct | time the cgroup spent in user space, as a percentage of total CPU time | scaled_float | | |
+| system.process.cgroup.cpuacct.total.norm.pct | CPU time of the cgroup as a percentage of overall CPU time, normalized by CPU count. This is functionally an average of time spent across individual CPUs. | scaled_float | | |
+| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | | |
+| system.process.cgroup.cpuacct.total.pct | CPU time of the cgroup as a percentage of overall CPU time. | scaled_float | | |
+| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | | |
+| system.process.cgroup.io.id | ID of the cgroup. | keyword | | |
+| system.process.cgroup.io.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | | |
+| system.process.cgroup.io.pressure.full.10.pct | Pressure over 10 seconds | float | | |
+| system.process.cgroup.io.pressure.full.300.pct | Pressure over 300 seconds | float | | |
+| system.process.cgroup.io.pressure.full.60.pct | Pressure over 60 seconds | float | | |
+| system.process.cgroup.io.pressure.full.total | total Some pressure time | long | | |
+| system.process.cgroup.io.pressure.some.10.pct | Pressure over 10 seconds | float | | |
+| system.process.cgroup.io.pressure.some.300.pct | Pressure over 300 seconds | float | | |
+| system.process.cgroup.io.pressure.some.60.pct | Pressure over 60 seconds | float | | |
+| system.process.cgroup.io.pressure.some.total | total Some pressure time | long | | |
+| system.process.cgroup.io.stats.\* | per-device IO usage stats | object | | |
+| system.process.cgroup.io.stats.\*.\* | | object | | |
+| system.process.cgroup.io.stats.\*.\*.bytes | per-device IO usage stats | object | | |
+| system.process.cgroup.io.stats.\*.\*.ios | per-device IO usage stats | object | | |
+| system.process.cgroup.memory.id | ID of the cgroup. | keyword | | |
+| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | | |
+| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | | |
+| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | | |
+| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | | |
+| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | | |
+| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | | |
+| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | | |
+| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | | |
+| system.process.cgroup.memory.mem.events.fail | failed threshold | long | | |
+| system.process.cgroup.memory.mem.events.high | high threshold | long | | |
+| system.process.cgroup.memory.mem.events.low | low threshold | long | | |
+| system.process.cgroup.memory.mem.events.max | max threshold | long | | |
+| system.process.cgroup.memory.mem.events.oom | oom threshold | long | | |
+| system.process.cgroup.memory.mem.events.oom_kill | oom killer threshold | long | | |
+| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | | |
+| system.process.cgroup.memory.mem.high.bytes | memory high threshhold | long | | |
+| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | | |
+| system.process.cgroup.memory.mem.low.bytes | memory low threshhold | long | | |
+| system.process.cgroup.memory.mem.max.bytes | memory max threshhold | long | | |
+| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | | |
+| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | | |
+| system.process.cgroup.memory.memsw.events.fail | failed threshold | long | | |
+| system.process.cgroup.memory.memsw.events.high | high threshold | long | | |
+| system.process.cgroup.memory.memsw.events.low | low threshold | long | | |
+| system.process.cgroup.memory.memsw.events.max | max threshold | long | | |
+| system.process.cgroup.memory.memsw.events.oom | oom threshold | long | | |
+| system.process.cgroup.memory.memsw.events.oom_kill | oom killer threshold | long | | |
+| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | | |
+| system.process.cgroup.memory.memsw.high.bytes | memory high threshhold | long | | |
+| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | | |
+| system.process.cgroup.memory.memsw.low.bytes | memory low threshhold | long | | |
+| system.process.cgroup.memory.memsw.max.bytes | memory max threshhold | long | | |
+| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | | |
+| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | | |
+| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | | |
+| system.process.cgroup.memory.stats.\* | detailed memory IO stats | object | | |
+| system.process.cgroup.memory.stats.\*.bytes | detailed memory IO stats | object | | |
+| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | | |
+| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | | |
+| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | | |
+| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | | |
+| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | | |
+| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | | |
+| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | | |
+| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | | |
+| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | | |
+| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | | |
+| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | | |
+| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | | |
+| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | | |
+| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | | |
+| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | | |
+| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | | |
+| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | | |
+| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | | |
+| system.process.cpu.start_time | The time when the process was started. | date | | |
+| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | | counter |
+| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | percent | gauge |
+| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | percent | gauge |
+| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | | counter |
+| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | | counter |
+| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | | counter |
+| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | | |
+| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | | gauge |
+| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | | gauge |
+| system.process.fd.open | The number of file descriptors open by the process. | long | | gauge |
+| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | byte | gauge |
+| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | percent | gauge |
+| system.process.memory.share | The shared memory the process uses. | long | byte | gauge |
+| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | byte | gauge |
+| system.process.state | The process state. For example: "running". | keyword | | |
+| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | |
+| user.name | Short name or login of the user. | keyword | | |
+| user.name.text | Multi-field of `user.name`. | match_only_text | | |
+
+
+### Process summary
+
+The `process_summary` data stream collects high level statistics about the running
+processes.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- Windows
+
+#### Permissions
+
+General process summary data should be available without elevated permissions.
+If the process data belongs to the other users, it will be counted as unknown value.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Socket summary
+
+The System `socket_summary` data stream provides the summary of open network
+sockets in the host system.
+
+It collects a summary of metrics with the count of existing TCP and UDP
+connections and the count of listening ports.
+
+#### Supported operating systems
+
+- FreeBSD
+- Linux
+- macOS
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
+
+### Uptime
+
+The System `uptime` data stream provides the uptime of the host operating system.
+
+#### Supported operating systems
+
+- Linux
+- macOS
+- OpenBSD
+- FreeBSD
+- Windows
+
+#### Permissions
+
+This data should be available without elevated permissions.
+
+**Exported fields**
+
+(no fields available)
+
diff --git a/test/packages/parallel/system/img/kibana-system.png b/test/packages/parallel/system/img/kibana-system.png
new file mode 100644
index 000000000..8741a5662
Binary files /dev/null and b/test/packages/parallel/system/img/kibana-system.png differ
diff --git a/test/packages/parallel/system/img/metricbeat_system_dashboard.png b/test/packages/parallel/system/img/metricbeat_system_dashboard.png
new file mode 100644
index 000000000..2ff6ad8bd
Binary files /dev/null and b/test/packages/parallel/system/img/metricbeat_system_dashboard.png differ
diff --git a/test/packages/parallel/system/img/system.svg b/test/packages/parallel/system/img/system.svg
new file mode 100644
index 000000000..0aba96275
--- /dev/null
+++ b/test/packages/parallel/system/img/system.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/test/packages/parallel/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json
new file mode 100644
index 000000000..7219b7bd7
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json
@@ -0,0 +1,894 @@
+{
+ "attributes": {
+ "description": "New users and groups dashboard for the System integration in Logs",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "optionsJSON": {
+ "darkTheme": false
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "[Syslog](#/dashboard/system-Logs-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)"
+ },
+ "title": "Dashboards [Logs System]",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 4,
+ "i": "7",
+ "w": 48,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "7",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "customLabel": "Host",
+ "field": "host.hostname",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "customLabel": "User",
+ "field": "user.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "4",
+ "params": {
+ "customLabel": "UID",
+ "field": "user.id",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "5",
+ "params": {
+ "customLabel": "GID",
+ "field": "group.id",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "6",
+ "params": {
+ "customLabel": "Home",
+ "field": "system.auth.useradd.home",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "7",
+ "params": {
+ "customLabel": "Shell",
+ "field": "system.auth.useradd.shell",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "autoFitRowToContent": false,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.auth\""
+ },
+ "perPage": 10,
+ "percentageCol": "",
+ "showMetricsAtAllLevels": false,
+ "showPartialRows": false,
+ "showToolbar": true,
+ "showTotal": false,
+ "sort": {
+ "columnIndex": null,
+ "direction": null
+ },
+ "totalFunc": "sum"
+ },
+ "type": "table",
+ "uiState": {
+ "vis": {
+ "params": {
+ "sort": {
+ "columnIndex": null,
+ "direction": null
+ }
+ }
+ }
+ }
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "b9f97626-14a8-42d6-8bc4-2f37b06b9e6d",
+ "w": 24,
+ "x": 0,
+ "y": 4
+ },
+ "panelIndex": "b9f97626-14a8-42d6-8bc4-2f37b06b9e6d",
+ "title": "New users [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true,
+ "used_interval": "30s"
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "user.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "group",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "detailedTooltip": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {
+ "show": false
+ },
+ "legendPosition": "bottom",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "mode": "stacked",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "radiusRatio": 0,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "circlesRadius": 1,
+ "data": {
+ "id": "1",
+ "label": "Count"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "stacked",
+ "show": true,
+ "showCircles": true,
+ "type": "histogram",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "truncateLegend": true,
+ "type": "histogram",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": true,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": ""
+ },
+ "type": "value"
+ }
+ ]
+ },
+ "type": "histogram",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "eb0fbea1-6c85-41e0-b52c-b0db0c895432",
+ "w": 24,
+ "x": 24,
+ "y": 4
+ },
+ "panelIndex": "eb0fbea1-6c85-41e0-b52c-b0db0c895432",
+ "title": "New users over time [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "field": "system.auth.useradd.shell",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "segment",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "user.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "segment",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTooltip": true,
+ "distinctColors": true,
+ "emptySizeRatio": 0.3,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.auth\""
+ },
+ "isDonut": false,
+ "labels": {
+ "last_level": false,
+ "percentDecimals": 2,
+ "position": "default",
+ "show": true,
+ "truncate": 100,
+ "values": true,
+ "valuesFormat": "percent"
+ },
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "nestedLegend": false,
+ "palette": {
+ "name": "kibana_palette",
+ "type": "palette"
+ },
+ "truncateLegend": true,
+ "type": "pie"
+ },
+ "type": "pie",
+ "uiState": {
+ "vis": {
+ "colors": {
+ "/bin/bash": "#E24D42",
+ "/bin/false": "#508642",
+ "/sbin/nologin": "#7EB26D"
+ },
+ "legendOpen": true
+ }
+ }
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "2e5bb345-992a-4cf4-9b8b-8d68a6b26f3c",
+ "w": 24,
+ "x": 0,
+ "y": 16
+ },
+ "panelIndex": "2e5bb345-992a-4cf4-9b8b-8d68a6b26f3c",
+ "title": "New users by shell [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "field": "system.auth.useradd.home",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "segment",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "user.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "segment",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTooltip": true,
+ "distinctColors": true,
+ "emptySizeRatio": 0.3,
+ "isDonut": false,
+ "labels": {
+ "last_level": false,
+ "percentDecimals": 2,
+ "position": "default",
+ "show": true,
+ "truncate": 100,
+ "values": true,
+ "valuesFormat": "percent"
+ },
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "nestedLegend": false,
+ "palette": {
+ "name": "kibana_palette",
+ "type": "palette"
+ },
+ "truncateLegend": true,
+ "type": "pie"
+ },
+ "type": "pie",
+ "uiState": {
+ "vis": {
+ "colors": {
+ "/bin/bash": "#E24D42",
+ "/bin/false": "#508642",
+ "/nonexistent": "#629E51",
+ "/sbin/nologin": "#7EB26D"
+ },
+ "legendOpen": true
+ }
+ }
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "26b1fdeb-77e8-4eaa-8d09-140485154c1a",
+ "w": 24,
+ "x": 24,
+ "y": 16
+ },
+ "panelIndex": "26b1fdeb-77e8-4eaa-8d09-140485154c1a",
+ "title": "New users by home directory [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "field": "group.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "group.id",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "autoFitRowToContent": false,
+ "perPage": 10,
+ "percentageCol": "",
+ "showMetricsAtAllLevels": false,
+ "showPartialRows": false,
+ "showToolbar": true,
+ "showTotal": false,
+ "sort": {
+ "columnIndex": null,
+ "direction": null
+ },
+ "totalFunc": "sum"
+ },
+ "type": "table",
+ "uiState": {
+ "vis": {
+ "params": {
+ "sort": {
+ "columnIndex": null,
+ "direction": null
+ }
+ }
+ }
+ }
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "c6ff6af0-7172-4e98-8f0e-7b3a6c37217e",
+ "w": 24,
+ "x": 0,
+ "y": 28
+ },
+ "panelIndex": "c6ff6af0-7172-4e98-8f0e-7b3a6c37217e",
+ "title": "New groups [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true,
+ "used_interval": "30s"
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "group.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "group",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "detailedTooltip": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {
+ "show": false
+ },
+ "legendPosition": "bottom",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "mode": "stacked",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "radiusRatio": 0,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "circlesRadius": 1,
+ "data": {
+ "id": "1",
+ "label": "Count"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "stacked",
+ "show": true,
+ "showCircles": true,
+ "type": "histogram",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "truncateLegend": true,
+ "type": "histogram",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": true,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": ""
+ },
+ "type": "value"
+ }
+ ]
+ },
+ "type": "histogram",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "edc0a4ad-a2f9-4ae8-93ca-cfd7d0ed40fe",
+ "w": 24,
+ "x": 24,
+ "y": 28
+ },
+ "panelIndex": "edc0a4ad-a2f9-4ae8-93ca-cfd7d0ed40fe",
+ "title": "New groups over time [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs System] New users and groups",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab",
+ "name": "b9f97626-14a8-42d6-8bc4-2f37b06b9e6d:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab",
+ "name": "eb0fbea1-6c85-41e0-b52c-b0db0c895432:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab",
+ "name": "2e5bb345-992a-4cf4-9b8b-8d68a6b26f3c:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab",
+ "name": "26b1fdeb-77e8-4eaa-8d09-140485154c1a:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38",
+ "name": "c6ff6af0-7172-4e98-8f0e-7b3a6c37217e:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38",
+ "name": "edc0a4ad-a2f9-4ae8-93ca-cfd7d0ed40fe:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/test/packages/parallel/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json
new file mode 100644
index 000000000..cf1d2557d
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json
@@ -0,0 +1,513 @@
+{
+ "attributes": {
+ "description": "Sudo commands dashboard from the Logs System integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "optionsJSON": {
+ "darkTheme": false
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "[Syslog](#/dashboard/system-Logs-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)"
+ },
+ "title": "Dashboards [Logs System]",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 4,
+ "i": "4",
+ "w": 48,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "4",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "field": "system.auth.sudo.command",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "user.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "bucket",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "autoFitRowToContent": false,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.auth\""
+ },
+ "perPage": 10,
+ "percentageCol": "",
+ "showMetricsAtAllLevels": false,
+ "showPartialRows": false,
+ "showToolbar": true,
+ "showTotal": false,
+ "sort": {
+ "columnIndex": null,
+ "direction": null
+ },
+ "totalFunc": "sum"
+ },
+ "type": "table",
+ "uiState": {
+ "vis": {
+ "params": {
+ "sort": {
+ "columnIndex": null,
+ "direction": null
+ }
+ }
+ }
+ }
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 16,
+ "i": "9176826e-b47b-405c-9fed-7928177e627b",
+ "w": 48,
+ "x": 0,
+ "y": 4
+ },
+ "panelIndex": "9176826e-b47b-405c-9fed-7928177e627b",
+ "title": "Top sudo commands [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true,
+ "used_interval": "30s"
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "user.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "group",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "detailedTooltip": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {
+ "show": false
+ },
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "mode": "stacked",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "radiusRatio": 0,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "circlesRadius": 1,
+ "data": {
+ "id": "1",
+ "label": "Count"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "stacked",
+ "show": true,
+ "showCircles": true,
+ "type": "histogram",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "truncateLegend": true,
+ "type": "histogram",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": true,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": ""
+ },
+ "type": "value"
+ }
+ ]
+ },
+ "type": "histogram",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 16,
+ "i": "f3e4b05c-4eab-4e12-98ac-5e5a7ae4fac7",
+ "w": 48,
+ "x": 0,
+ "y": 20
+ },
+ "panelIndex": "f3e4b05c-4eab-4e12-98ac-5e5a7ae4fac7",
+ "title": "Sudo commands by user [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true,
+ "used_interval": "30s"
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "system.auth.sudo.error",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "group",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": [],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "system.auth.sudo.error:*"
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "detailedTooltip": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {
+ "show": false
+ },
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "mode": "stacked",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "radiusRatio": 0,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "circlesRadius": 1,
+ "data": {
+ "id": "1",
+ "label": "Count"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "stacked",
+ "show": true,
+ "showCircles": true,
+ "type": "histogram",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "truncateLegend": true,
+ "type": "histogram",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": true,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": ""
+ },
+ "type": "value"
+ }
+ ]
+ },
+ "type": "histogram",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "fd4d0b9e-760d-4d7a-90e9-62aca0609b9e",
+ "w": 48,
+ "x": 0,
+ "y": 36
+ },
+ "panelIndex": "fd4d0b9e-760d-4d7a-90e9-62aca0609b9e",
+ "title": "Sudo errors [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs System] Sudo commands",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a",
+ "name": "9176826e-b47b-405c-9fed-7928177e627b:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a",
+ "name": "f3e4b05c-4eab-4e12-98ac-5e5a7ae4fac7:search_0",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd4d0b9e-760d-4d7a-90e9-62aca0609b9e:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/test/packages/parallel/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json
new file mode 100644
index 000000000..f06eb87c0
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json
@@ -0,0 +1,582 @@
+{
+ "attributes": {
+ "description": "SSH dashboard for the System integration in Logs",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "optionsJSON": {
+ "darkTheme": false
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "columns": [
+ "system.auth.ssh.event",
+ "system.auth.ssh.method",
+ "user.name",
+ "source.ip",
+ "source.geo.country_iso_code"
+ ],
+ "enhancements": {},
+ "sort": [
+ "@timestamp",
+ "desc"
+ ]
+ },
+ "gridData": {
+ "h": 12,
+ "i": "5",
+ "w": 48,
+ "x": 0,
+ "y": 44
+ },
+ "panelIndex": "5",
+ "panelRefName": "panel_5",
+ "type": "search",
+ "version": "8.1.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "[Syslog](#/dashboard/system-Logs-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)"
+ },
+ "title": "Dashboards [Logs System]",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 4,
+ "i": "6",
+ "w": 48,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "6",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"985e7399-20df-464b-b6d5-880922106ffe\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"alpha\":0.75,\"id\":\"05b729fa-80a9-4215-aaed-4a8d9476e87d\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":\"SSH failed login attempts source locations [Logs System]\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"80bac1cc-d19d-415d-93ad-f776fd099f24\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"point\",\"resolution\":\"MOST_FINE\",\"type\":\"ES_GEO_GRID\",\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"type\":\"ORDINAL\"},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#3d3d3d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]",
+ "mapStateJSON": "{\"zoom\":1.58,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}",
+ "references": [],
+ "title": "SSH failed login attempts source locations [Logs System]",
+ "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+ },
+ "enhancements": {},
+ "hiddenLayers": [],
+ "isLayerTOCOpen": true,
+ "mapBuffer": {
+ "maxLat": 66.51326,
+ "maxLon": 180,
+ "minLat": -66.51326,
+ "minLon": -180
+ },
+ "mapCenter": {
+ "lat": 19.94277,
+ "lon": 0,
+ "zoom": 1.58
+ },
+ "openTOCDetails": [],
+ "type": "map"
+ },
+ "gridData": {
+ "h": 16,
+ "i": "9cef48b8-7995-45f6-9420-1d0b3dbbefe5",
+ "w": 24,
+ "x": 24,
+ "y": 28
+ },
+ "panelIndex": "9cef48b8-7995-45f6-9420-1d0b3dbbefe5",
+ "type": "map",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true,
+ "used_interval": "30s"
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "system.auth.ssh.event",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "group",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": [],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "detailedTooltip": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {
+ "show": false
+ },
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "mode": "stacked",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "radiusRatio": 0,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "circlesRadius": 1,
+ "data": {
+ "id": "1",
+ "label": "Count"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "stacked",
+ "show": true,
+ "showCircles": true,
+ "type": "histogram",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "truncateLegend": true,
+ "type": "histogram",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": true,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": ""
+ },
+ "type": "value"
+ }
+ ]
+ },
+ "type": "histogram",
+ "uiState": {
+ "vis": {
+ "colors": {
+ "Accepted": "#3F6833",
+ "Failed": "#F9934E",
+ "Invalid": "#447EBC"
+ }
+ }
+ }
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "ea2ece08-f34b-47e9-99af-4242fd5450d3",
+ "w": 48,
+ "x": 0,
+ "y": 4
+ },
+ "panelIndex": "ea2ece08-f34b-47e9-99af-4242fd5450d3",
+ "title": "SSH login attempts [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true,
+ "used_interval": "30s"
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "system.auth.ssh.method",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "group",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": [],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "system.auth.ssh.event:Accepted"
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "detailedTooltip": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {
+ "show": false
+ },
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "mode": "stacked",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "radiusRatio": 0,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "circlesRadius": 1,
+ "data": {
+ "id": "1",
+ "label": "Count"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "stacked",
+ "show": true,
+ "showCircles": true,
+ "type": "histogram",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "truncateLegend": true,
+ "type": "histogram",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": true,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": ""
+ },
+ "type": "value"
+ }
+ ]
+ },
+ "type": "histogram",
+ "uiState": {
+ "vis": {
+ "colors": {
+ "Accepted": "#3F6833",
+ "Failed": "#F9934E",
+ "Invalid": "#447EBC",
+ "password": "#BF1B00",
+ "publickey": "#629E51"
+ }
+ }
+ }
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "782d75bd-ba9d-47c1-a022-073565c79953",
+ "w": 48,
+ "x": 0,
+ "y": 16
+ },
+ "panelIndex": "782d75bd-ba9d-47c1-a022-073565c79953",
+ "title": "Successful SSH logins [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "field": "user.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 50
+ },
+ "schema": "segment",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": [],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid"
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "maxFontSize": 72,
+ "minFontSize": 18,
+ "orientation": "single",
+ "palette": {
+ "name": "kibana_palette",
+ "type": "palette"
+ },
+ "scale": "linear",
+ "showLabel": true
+ },
+ "type": "tagcloud",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 16,
+ "i": "305f2fa8-f09c-4018-bdbd-a4d901689514",
+ "w": 24,
+ "x": 0,
+ "y": 28
+ },
+ "panelIndex": "305f2fa8-f09c-4018-bdbd-a4d901689514",
+ "title": "SSH users of failed login attempts [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs System] SSH login attempts",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414",
+ "name": "5:panel_5",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "9cef48b8-7995-45f6-9420-1d0b3dbbefe5:layer_1_source_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ea2ece08-f34b-47e9-99af-4242fd5450d3:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "782d75bd-ba9d-47c1-a022-073565c79953:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "305f2fa8-f09c-4018-bdbd-a4d901689514:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json
new file mode 100644
index 000000000..c024ef02f
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json
@@ -0,0 +1,4493 @@
+{
+ "attributes": {
+ "description": "User management activity.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": [
+ "system.security",
+ "windows.forwarded",
+ "windows.security"
+ ],
+ "type": "phrases"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.forwarded"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.security"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": false
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "# **User Management Events**\n\n#### This dashboard shows information about User Management Events collected by winlogbeat\n",
+ "openLinksInNewTab": false
+ },
+ "title": "User Management Events - Description [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 8,
+ "i": "1",
+ "w": 17,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "1",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2d2094c7-e57e-4a12-88ad-50291d81a64b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ee7f0132-6cba-4ea8-80ea-50bddb3c588e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "2d2094c7-e57e-4a12-88ad-50291d81a64b": {
+ "columnOrder": [
+ "bc1e93e0-12cf-4730-8736-4a2bb261ee4d",
+ "7dc6af71-b4db-4262-b6a2-05d40c06c17d",
+ "636e03a9-9b87-4c7a-a04b-402ad5c78483",
+ "b621a299-9e1c-46fc-8876-98a3b2933237"
+ ],
+ "columns": {
+ "636e03a9-9b87-4c7a-a04b-402ad5c78483": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b621a299-9e1c-46fc-8876-98a3b2933237",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "7dc6af71-b4db-4262-b6a2-05d40c06c17d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "b621a299-9e1c-46fc-8876-98a3b2933237",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "b621a299-9e1c-46fc-8876-98a3b2933237": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "bc1e93e0-12cf-4730-8736-4a2bb261ee4d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Created User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b621a299-9e1c-46fc-8876-98a3b2933237",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "ee7f0132-6cba-4ea8-80ea-50bddb3c588e",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4720"
+ },
+ "type": "phrase",
+ "value": "4720"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4720",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "b621a299-9e1c-46fc-8876-98a3b2933237"
+ },
+ {
+ "alignment": "left",
+ "columnId": "bc1e93e0-12cf-4730-8736-4a2bb261ee4d"
+ },
+ {
+ "alignment": "left",
+ "columnId": "7dc6af71-b4db-4262-b6a2-05d40c06c17d"
+ },
+ {
+ "alignment": "left",
+ "columnId": "636e03a9-9b87-4c7a-a04b-402ad5c78483"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "2d2094c7-e57e-4a12-88ad-50291d81a64b",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Created - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "3",
+ "w": 9,
+ "x": 0,
+ "y": 56
+ },
+ "panelIndex": "3",
+ "title": "Users Created - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-95473519-9e23-4ab1-acb8-3212f69ea3b5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f8e3cf39-b76f-4658-af4f-c9c915ba6ba6",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "95473519-9e23-4ab1-acb8-3212f69ea3b5": {
+ "columnOrder": [
+ "2e2024e2-e599-4fb0-a7ab-1a24dd30b919",
+ "f6598c5a-cb6f-4bbf-9534-525c3573fa75",
+ "7b527c70-07d2-46ec-816d-775b472c2af9",
+ "900f2a97-5fda-45dd-826e-3b992e50cec7"
+ ],
+ "columns": {
+ "2e2024e2-e599-4fb0-a7ab-1a24dd30b919": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Enabled User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "900f2a97-5fda-45dd-826e-3b992e50cec7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ },
+ "7b527c70-07d2-46ec-816d-775b472c2af9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonId",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "900f2a97-5fda-45dd-826e-3b992e50cec7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "900f2a97-5fda-45dd-826e-3b992e50cec7": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f6598c5a-cb6f-4bbf-9534-525c3573fa75": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "900f2a97-5fda-45dd-826e-3b992e50cec7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "f8e3cf39-b76f-4658-af4f-c9c915ba6ba6",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4722"
+ },
+ "type": "phrase",
+ "value": "4722"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4722",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "900f2a97-5fda-45dd-826e-3b992e50cec7"
+ },
+ {
+ "alignment": "left",
+ "columnId": "2e2024e2-e599-4fb0-a7ab-1a24dd30b919"
+ },
+ {
+ "alignment": "left",
+ "columnId": "f6598c5a-cb6f-4bbf-9534-525c3573fa75"
+ },
+ {
+ "alignment": "left",
+ "columnId": "7b527c70-07d2-46ec-816d-775b472c2af9"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "95473519-9e23-4ab1-acb8-3212f69ea3b5",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Enabled - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "5",
+ "w": 9,
+ "x": 9,
+ "y": 56
+ },
+ "panelIndex": "5",
+ "title": "Users Enabled - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-dc37e882-6f66-420e-a41d-17176340e1fc",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "87383246-3af7-4da7-bf25-da8b92485bf4",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "dc37e882-6f66-420e-a41d-17176340e1fc": {
+ "columnOrder": [
+ "0ead95a2-6c9c-49f4-bff5-4f376b8754f8",
+ "c5b66e5a-f608-46d0-91e1-e8740430d275",
+ "02bbb586-1441-43d5-8cc1-777ff1e18b41",
+ "36336253-a60b-4de5-ba0a-366d7867ef1d"
+ ],
+ "columns": {
+ "02bbb586-1441-43d5-8cc1-777ff1e18b41": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonId",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "36336253-a60b-4de5-ba0a-366d7867ef1d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "0ead95a2-6c9c-49f4-bff5-4f376b8754f8": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Disabled User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "36336253-a60b-4de5-ba0a-366d7867ef1d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ },
+ "36336253-a60b-4de5-ba0a-366d7867ef1d": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "c5b66e5a-f608-46d0-91e1-e8740430d275": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "36336253-a60b-4de5-ba0a-366d7867ef1d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "87383246-3af7-4da7-bf25-da8b92485bf4",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4725"
+ },
+ "type": "phrase",
+ "value": "4725"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4725",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "36336253-a60b-4de5-ba0a-366d7867ef1d"
+ },
+ {
+ "alignment": "left",
+ "columnId": "0ead95a2-6c9c-49f4-bff5-4f376b8754f8"
+ },
+ {
+ "alignment": "left",
+ "columnId": "c5b66e5a-f608-46d0-91e1-e8740430d275"
+ },
+ {
+ "alignment": "left",
+ "columnId": "02bbb586-1441-43d5-8cc1-777ff1e18b41"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "dc37e882-6f66-420e-a41d-17176340e1fc",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Disabled - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "6",
+ "w": 9,
+ "x": 0,
+ "y": 79
+ },
+ "panelIndex": "6",
+ "title": "Users Disabled - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5ef7cf84-7e34-4c90-afe6-2a3bc54f9e62",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2974422c-1f81-4077-9f55-a01a8b045f56",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5ef7cf84-7e34-4c90-afe6-2a3bc54f9e62": {
+ "columnOrder": [
+ "881c3fbc-6d02-4e9b-a683-dcfaa9148d25",
+ "2dfe6335-d29c-478f-986b-eb228db115ea",
+ "f9fb320f-2485-437e-9c05-3a0f4ecf7d83",
+ "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a"
+ ],
+ "columns": {
+ "2dfe6335-d29c-478f-986b-eb228db115ea": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "881c3fbc-6d02-4e9b-a683-dcfaa9148d25": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Deleted User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ },
+ "f9fb320f-2485-437e-9c05-3a0f4ecf7d83": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed LogonId",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "2974422c-1f81-4077-9f55-a01a8b045f56",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4726"
+ },
+ "type": "phrase",
+ "value": "4726"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4726",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "7fe58e26-2c9d-4c54-ad14-a7b8ef9e4b8a"
+ },
+ {
+ "alignment": "left",
+ "columnId": "881c3fbc-6d02-4e9b-a683-dcfaa9148d25"
+ },
+ {
+ "alignment": "left",
+ "columnId": "2dfe6335-d29c-478f-986b-eb228db115ea"
+ },
+ {
+ "alignment": "left",
+ "columnId": "f9fb320f-2485-437e-9c05-3a0f4ecf7d83"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "5ef7cf84-7e34-4c90-afe6-2a3bc54f9e62",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Deleted - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "7",
+ "w": 9,
+ "x": 18,
+ "y": 56
+ },
+ "panelIndex": "7",
+ "title": "Users Deleted - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f8300e3b-29eb-46f6-a509-9bd4b4b2f8ec",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8726b1f3-6de9-4d3f-8ac6-c47b378bdcb2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f8300e3b-29eb-46f6-a509-9bd4b4b2f8ec": {
+ "columnOrder": [
+ "f37acc2c-0fae-4670-a434-0c939124f9d3",
+ "16cddd4c-69d4-479a-9f57-81916e475839",
+ "fdfaf51d-5ab4-4259-bed8-3453117d62d2",
+ "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806"
+ ],
+ "columns": {
+ "16cddd4c-69d4-479a-9f57-81916e475839": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f37acc2c-0fae-4670-a434-0c939124f9d3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Password Change to",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ },
+ "fdfaf51d-5ab4-4259-bed8-3453117d62d2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonId",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "8726b1f3-6de9-4d3f-8ac6-c47b378bdcb2",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4723",
+ "4724"
+ ],
+ "type": "phrases",
+ "value": "4723, 4724"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4723"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4724"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "c5a8f9ae-5f3a-446e-bfa8-9ed3a003e806"
+ },
+ {
+ "alignment": "left",
+ "columnId": "f37acc2c-0fae-4670-a434-0c939124f9d3"
+ },
+ {
+ "alignment": "left",
+ "columnId": "16cddd4c-69d4-479a-9f57-81916e475839"
+ },
+ {
+ "alignment": "left",
+ "columnId": "fdfaf51d-5ab4-4259-bed8-3453117d62d2"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "f8300e3b-29eb-46f6-a509-9bd4b4b2f8ec",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Password Changes - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "9",
+ "w": 9,
+ "x": 18,
+ "y": 79
+ },
+ "panelIndex": "9",
+ "title": "Users Password Changes - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-8ee3da48-29cf-4b5a-b9be-ede6e7f10f54",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6d7d0e01-edd7-4907-a80b-65abcdd357ca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8ee3da48-29cf-4b5a-b9be-ede6e7f10f54": {
+ "columnOrder": [
+ "26403b58-b2fb-4a4a-b3dc-8f139025201f",
+ "ee0bc81c-2c6e-4b5a-852f-9fe72e955c8e",
+ "66edd873-c5e9-4ef2-86d2-eccb01b242fe",
+ "1a82fe58-0eee-4ebc-844d-8e2360ec9564"
+ ],
+ "columns": {
+ "1a82fe58-0eee-4ebc-844d-8e2360ec9564": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "26403b58-b2fb-4a4a-b3dc-8f139025201f": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Unlocked User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "1a82fe58-0eee-4ebc-844d-8e2360ec9564",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ },
+ "66edd873-c5e9-4ef2-86d2-eccb01b242fe": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer Logonid",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "1a82fe58-0eee-4ebc-844d-8e2360ec9564",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "ee0bc81c-2c6e-4b5a-852f-9fe72e955c8e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "1a82fe58-0eee-4ebc-844d-8e2360ec9564",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "6d7d0e01-edd7-4907-a80b-65abcdd357ca",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4767"
+ },
+ "type": "phrase",
+ "value": "4767"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4767",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "1a82fe58-0eee-4ebc-844d-8e2360ec9564"
+ },
+ {
+ "alignment": "left",
+ "columnId": "26403b58-b2fb-4a4a-b3dc-8f139025201f"
+ },
+ {
+ "alignment": "left",
+ "columnId": "ee0bc81c-2c6e-4b5a-852f-9fe72e955c8e"
+ },
+ {
+ "alignment": "left",
+ "columnId": "66edd873-c5e9-4ef2-86d2-eccb01b242fe"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "8ee3da48-29cf-4b5a-b9be-ede6e7f10f54",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Unlocked Users - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "15",
+ "w": 9,
+ "x": 9,
+ "y": 79
+ },
+ "panelIndex": "15",
+ "title": "Unlocked Users - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5ffb434e-0578-45fe-bbc8-01893ae2f867",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d72b2685-a2ee-4c6d-bf7f-70cdfad9817e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5ffb434e-0578-45fe-bbc8-01893ae2f867": {
+ "columnOrder": [
+ "b940e43a-bfed-494b-aae4-9740335da997",
+ "0ba64458-1a5b-4ecb-a4b6-254ea4b1549d",
+ "0b36b00a-d3af-48ae-a9d8-3099d1de0808",
+ "084148b6-cc9b-4a3c-9609-d4c109703dab"
+ ],
+ "columns": {
+ "084148b6-cc9b-4a3c-9609-d4c109703dab": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "0b36b00a-d3af-48ae-a9d8-3099d1de0808": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonId",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "084148b6-cc9b-4a3c-9609-d4c109703dab",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "0ba64458-1a5b-4ecb-a4b6-254ea4b1549d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "084148b6-cc9b-4a3c-9609-d4c109703dab",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "b940e43a-bfed-494b-aae4-9740335da997": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Changed User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "084148b6-cc9b-4a3c-9609-d4c109703dab",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d72b2685-a2ee-4c6d-bf7f-70cdfad9817e",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4738"
+ },
+ "type": "phrase",
+ "value": "4738"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4738",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "084148b6-cc9b-4a3c-9609-d4c109703dab"
+ },
+ {
+ "alignment": "left",
+ "columnId": "b940e43a-bfed-494b-aae4-9740335da997"
+ },
+ {
+ "alignment": "left",
+ "columnId": "0ba64458-1a5b-4ecb-a4b6-254ea4b1549d"
+ },
+ {
+ "alignment": "left",
+ "columnId": "0b36b00a-d3af-48ae-a9d8-3099d1de0808"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "5ffb434e-0578-45fe-bbc8-01893ae2f867",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Changes Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "16",
+ "w": 9,
+ "x": 18,
+ "y": 102
+ },
+ "panelIndex": "16",
+ "title": "Users Changes Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-7868e85e-6ff2-4087-8bd9-7d22da031e24",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "84460bff-f94b-4d8b-a166-5ab188df891c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7868e85e-6ff2-4087-8bd9-7d22da031e24": {
+ "columnOrder": [
+ "f86a3e5c-b673-412a-8120-5c018f5d9d53",
+ "5a4bcb3b-926f-4881-8390-ce37adfbe392",
+ "a5cf5fe1-7ab1-4be7-83d3-0639e59f6594",
+ "c2fd7b5a-2f4c-4d52-93af-1c56873b255b"
+ ],
+ "columns": {
+ "5a4bcb3b-926f-4881-8390-ce37adfbe392": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "c2fd7b5a-2f4c-4d52-93af-1c56873b255b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "a5cf5fe1-7ab1-4be7-83d3-0639e59f6594": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonId",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c2fd7b5a-2f4c-4d52-93af-1c56873b255b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "c2fd7b5a-2f4c-4d52-93af-1c56873b255b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f86a3e5c-b673-412a-8120-5c018f5d9d53": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Locked User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c2fd7b5a-2f4c-4d52-93af-1c56873b255b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "84460bff-f94b-4d8b-a166-5ab188df891c",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4740"
+ },
+ "type": "phrase",
+ "value": "4740"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4740",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "c2fd7b5a-2f4c-4d52-93af-1c56873b255b"
+ },
+ {
+ "alignment": "left",
+ "columnId": "f86a3e5c-b673-412a-8120-5c018f5d9d53"
+ },
+ {
+ "alignment": "left",
+ "columnId": "5a4bcb3b-926f-4881-8390-ce37adfbe392"
+ },
+ {
+ "alignment": "left",
+ "columnId": "a5cf5fe1-7ab1-4be7-83d3-0639e59f6594"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "7868e85e-6ff2-4087-8bd9-7d22da031e24",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Locked Out - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "20",
+ "w": 9,
+ "x": 0,
+ "y": 102
+ },
+ "panelIndex": "20",
+ "title": "Users Locked Out - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 46,
+ "i": "22",
+ "w": 21,
+ "x": 27,
+ "y": 72
+ },
+ "panelIndex": "22",
+ "panelRefName": "panel_22",
+ "type": "search",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 19,
+ "i": "23",
+ "w": 48,
+ "x": 0,
+ "y": 118
+ },
+ "panelIndex": "23",
+ "panelRefName": "panel_23",
+ "type": "search",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-c613d393-dc99-42e4-a4f0-afb124b56634",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "642679d4-cdd9-44fe-9723-862f94ee2256",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "c613d393-dc99-42e4-a4f0-afb124b56634": {
+ "columnOrder": [
+ "1d812881-c1ba-4b91-825c-8dc3d2fe9ad2",
+ "b6315fb5-2e5c-42f1-bfe6-92404796792e",
+ "82c2bda9-7f77-4546-a167-2c008532e954",
+ "0485c61c-fd61-463a-9b15-bacb6243a85a"
+ ],
+ "columns": {
+ "0485c61c-fd61-463a-9b15-bacb6243a85a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "1d812881-c1ba-4b91-825c-8dc3d2fe9ad2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Old User Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0485c61c-fd61-463a-9b15-bacb6243a85a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.OldTargetUserName"
+ },
+ "82c2bda9-7f77-4546-a167-2c008532e954": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonId",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0485c61c-fd61-463a-9b15-bacb6243a85a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "b6315fb5-2e5c-42f1-bfe6-92404796792e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "columnId": "0485c61c-fd61-463a-9b15-bacb6243a85a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "642679d4-cdd9-44fe-9723-862f94ee2256",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4781"
+ },
+ "type": "phrase",
+ "value": "4781"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4781",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "0485c61c-fd61-463a-9b15-bacb6243a85a"
+ },
+ {
+ "alignment": "left",
+ "columnId": "1d812881-c1ba-4b91-825c-8dc3d2fe9ad2"
+ },
+ {
+ "alignment": "left",
+ "columnId": "b6315fb5-2e5c-42f1-bfe6-92404796792e"
+ },
+ {
+ "alignment": "left",
+ "columnId": "82c2bda9-7f77-4546-a167-2c008532e954"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "c613d393-dc99-42e4-a4f0-afb124b56634",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Renamed - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "33",
+ "w": 9,
+ "x": 9,
+ "y": 102
+ },
+ "panelIndex": "33",
+ "title": "Users Renamed - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | **User Management Events** | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)",
+ "openLinksInNewTab": false
+ },
+ "title": "Dashboard links [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 8,
+ "i": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c",
+ "w": 31,
+ "x": 17,
+ "y": 0
+ },
+ "panelIndex": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5cfa8804-5c32-451e-a9ef-ab4f2f5ea013",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1cdd7bfd-1207-485b-9fbc-a80cafd98b00",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5cfa8804-5c32-451e-a9ef-ab4f2f5ea013": {
+ "columnOrder": [
+ "ee354f1a-af8f-47d5-9e55-7500ff35589a",
+ "e66adfc6-a434-4665-93ad-34ccded647c7"
+ ],
+ "columns": {
+ "e66adfc6-a434-4665-93ad-34ccded647c7": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "ee354f1a-af8f-47d5-9e55-7500ff35589a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "e66adfc6-a434-4665-93ad-34ccded647c7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 15
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "1cdd7bfd-1207-485b-9fbc-a80cafd98b00",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4720",
+ "4722",
+ "4723",
+ "4724",
+ "4725",
+ "4726",
+ "4738",
+ "4740",
+ "4767",
+ "4781",
+ "4798"
+ ],
+ "type": "phrases",
+ "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4720"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4722"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4723"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4724"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4725"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4726"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4738"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4740"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4767"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4781"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4798"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "emptySizeRatio": 0.3,
+ "layerId": "5cfa8804-5c32-451e-a9ef-ab4f2f5ea013",
+ "layerType": "data",
+ "legendDisplay": "hide",
+ "legendMaxLines": 1,
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "metrics": [
+ "e66adfc6-a434-4665-93ad-34ccded647c7"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "ee354f1a-af8f-47d5-9e55-7500ff35589a"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "User Management Actions [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "a2871661-98a8-489b-b615-e66ebe3b971a",
+ "w": 17,
+ "x": 0,
+ "y": 8
+ },
+ "panelIndex": "a2871661-98a8-489b-b615-e66ebe3b971a",
+ "title": "User Management Actions [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-49665402-a64a-44e2-b251-976e50a5c030",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7e29a9cf-64d5-426d-b6aa-8808264a7496",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "49665402-a64a-44e2-b251-976e50a5c030": {
+ "columnOrder": [
+ "03dfb72e-e140-48d0-8b6b-0dd7253a1f61",
+ "fb36a279-27ac-4814-ae98-a5864704ff3a",
+ "050b0eae-08cf-44a4-be0e-fd22d216cdff"
+ ],
+ "columns": {
+ "03dfb72e-e140-48d0-8b6b-0dd7253a1f61": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "050b0eae-08cf-44a4-be0e-fd22d216cdff",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 25
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "050b0eae-08cf-44a4-be0e-fd22d216cdff": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "fb36a279-27ac-4814-ae98-a5864704ff3a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.code",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "050b0eae-08cf-44a4-be0e-fd22d216cdff",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "event.code"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "7e29a9cf-64d5-426d-b6aa-8808264a7496",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4720",
+ "4722",
+ "4723",
+ "4724",
+ "4725",
+ "4726",
+ "4738",
+ "4740",
+ "4767",
+ "4781",
+ "4798"
+ ],
+ "type": "phrases",
+ "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4720"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4722"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4723"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4724"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4725"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4726"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4738"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4740"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4767"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4781"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4798"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "050b0eae-08cf-44a4-be0e-fd22d216cdff"
+ },
+ {
+ "alignment": "left",
+ "columnId": "03dfb72e-e140-48d0-8b6b-0dd7253a1f61"
+ },
+ {
+ "alignment": "left",
+ "columnId": "fb36a279-27ac-4814-ae98-a5864704ff3a"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "49665402-a64a-44e2-b251-976e50a5c030",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "User Event Actions - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6",
+ "w": 13,
+ "x": 17,
+ "y": 8
+ },
+ "panelIndex": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6",
+ "title": "User Event Actions - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e1805dcb-7ae9-4b50-b201-34f1337a8c57",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e1805dcb-7ae9-4b50-b201-34f1337a8c57": {
+ "columnOrder": [
+ "d5bb0346-b16f-44ab-b12a-78b0e2c2758d",
+ "8571440b-0b36-4565-9f37-e06df2d69b01"
+ ],
+ "columns": {
+ "8571440b-0b36-4565-9f37-e06df2d69b01": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d5bb0346-b16f-44ab-b12a-78b0e2c2758d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target Users",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8571440b-0b36-4565-9f37-e06df2d69b01",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "8571440b-0b36-4565-9f37-e06df2d69b01"
+ ],
+ "layerId": "e1805dcb-7ae9-4b50-b201-34f1337a8c57",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "d5bb0346-b16f-44ab-b12a-78b0e2c2758d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "44697eb7-bb8e-4994-9e1b-95599f1b994a",
+ "w": 18,
+ "x": 30,
+ "y": 8
+ },
+ "panelIndex": "44697eb7-bb8e-4994-9e1b-95599f1b994a",
+ "title": "Target Users [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-81502bd7-7787-49aa-a890-24912feb1796",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2434c52c-2206-4a9f-9d0c-c4d6ec7b7854",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "81502bd7-7787-49aa-a890-24912feb1796": {
+ "columnOrder": [
+ "15718d57-7630-4e2e-95c2-e54ed6194206",
+ "bcc8b6f9-e162-4212-a450-0767191d1022",
+ "cbf854c1-cf1f-42b9-a300-45c58996aadb"
+ ],
+ "columns": {
+ "15718d57-7630-4e2e-95c2-e54ed6194206": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cbf854c1-cf1f-42b9-a300-45c58996aadb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetUserName"
+ },
+ "bcc8b6f9-e162-4212-a450-0767191d1022": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cbf854c1-cf1f-42b9-a300-45c58996aadb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "cbf854c1-cf1f-42b9-a300-45c58996aadb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "2434c52c-2206-4a9f-9d0c-c4d6ec7b7854",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4720",
+ "4722",
+ "4723",
+ "4724",
+ "4725",
+ "4726",
+ "4738",
+ "4740",
+ "4767",
+ "4781",
+ "4798"
+ ],
+ "type": "phrases",
+ "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4720"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4722"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4723"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4724"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4725"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4726"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4738"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4740"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4767"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4781"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4798"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "visualization": {
+ "gridConfig": {
+ "isCellLabelVisible": true,
+ "isXAxisLabelVisible": true,
+ "isXAxisTitleVisible": true,
+ "isYAxisLabelVisible": true,
+ "isYAxisTitleVisible": true,
+ "type": "heatmap_grid"
+ },
+ "layerId": "81502bd7-7787-49aa-a890-24912feb1796",
+ "layerType": "data",
+ "legend": {
+ "position": "right",
+ "type": "heatmap_legend"
+ },
+ "palette": {
+ "accessor": "cbf854c1-cf1f-42b9-a300-45c58996aadb",
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#F7FBFF",
+ "stop": 0
+ },
+ {
+ "color": "#C3DBEE",
+ "stop": 25
+ },
+ {
+ "color": "#6DAED5",
+ "stop": 50
+ },
+ {
+ "color": "#2271B3",
+ "stop": 75
+ }
+ ],
+ "continuity": "none",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": 100,
+ "rangeMin": 0,
+ "rangeType": "percent",
+ "reverse": false,
+ "stops": [
+ {
+ "color": "#F7FBFF",
+ "stop": 25
+ },
+ {
+ "color": "#C3DBEE",
+ "stop": 50
+ },
+ {
+ "color": "#6DAED5",
+ "stop": 75
+ },
+ {
+ "color": "#2271B3",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "shape": "heatmap",
+ "valueAccessor": "cbf854c1-cf1f-42b9-a300-45c58996aadb",
+ "xAccessor": "15718d57-7630-4e2e-95c2-e54ed6194206",
+ "yAccessor": "bcc8b6f9-e162-4212-a450-0767191d1022"
+ }
+ },
+ "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsHeatmap"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 25,
+ "i": "29f54335-78db-4c49-a3e0-a641fd0099f6",
+ "w": 48,
+ "x": 0,
+ "y": 24
+ },
+ "panelIndex": "29f54335-78db-4c49-a3e0-a641fd0099f6",
+ "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d62110e5-9d90-412a-833a-3bb5da7f6693": {
+ "columnOrder": [
+ "f6c30a0d-83b4-4139-a669-5041c87cc19a"
+ ],
+ "columns": {
+ "f6c30a0d-83b4-4139-a669-5041c87cc19a": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code: \"4720\""
+ },
+ "isBucketed": false,
+ "label": "Users Created",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-d62110e5-9d90-412a-833a-3bb5da7f6693",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "f6c30a0d-83b4-4139-a669-5041c87cc19a",
+ "colorMode": "Background",
+ "layerId": "d62110e5-9d90-412a-833a-3bb5da7f6693",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#cc5642",
+ "stop": 0
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 0
+ },
+ {
+ "color": "#cc5642",
+ "stop": 1
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "a6f12dd2-11fb-4039-8a8c-56b742a96e30",
+ "w": 9,
+ "x": 0,
+ "y": 49
+ },
+ "panelIndex": "a6f12dd2-11fb-4039-8a8c-56b742a96e30",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d62110e5-9d90-412a-833a-3bb5da7f6693": {
+ "columnOrder": [
+ "f6c30a0d-83b4-4139-a669-5041c87cc19a"
+ ],
+ "columns": {
+ "f6c30a0d-83b4-4139-a669-5041c87cc19a": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code: \"4722\""
+ },
+ "isBucketed": false,
+ "label": "Users Enabled",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-d62110e5-9d90-412a-833a-3bb5da7f6693",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "f6c30a0d-83b4-4139-a669-5041c87cc19a",
+ "colorMode": "Background",
+ "layerId": "d62110e5-9d90-412a-833a-3bb5da7f6693",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#cc5642",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#cc5642",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "39724444-251e-480d-b5f2-642362f8929e",
+ "w": 9,
+ "x": 9,
+ "y": 49
+ },
+ "panelIndex": "39724444-251e-480d-b5f2-642362f8929e",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "53b82494-6fb7-47b6-8d8d-dd3fcb3b89ed": {
+ "columnOrder": [
+ "b54a4942-5808-4c83-b3ea-50406c4199ef"
+ ],
+ "columns": {
+ "b54a4942-5808-4c83-b3ea-50406c4199ef": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code: \"4726\""
+ },
+ "isBucketed": false,
+ "label": "Users Deleted",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-53b82494-6fb7-47b6-8d8d-dd3fcb3b89ed",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "b54a4942-5808-4c83-b3ea-50406c4199ef",
+ "colorMode": "Background",
+ "layerId": "53b82494-6fb7-47b6-8d8d-dd3fcb3b89ed",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#DA8B45",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#DA8B45",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "9fdcbd20-59e6-4fd2-bc0a-72b0daaee79e",
+ "w": 9,
+ "x": 18,
+ "y": 49
+ },
+ "panelIndex": "9fdcbd20-59e6-4fd2-bc0a-72b0daaee79e",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f948c2c2-e83b-4f32-aaab-acb740cf74e3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9863d407-89f7-419e-ac97-2dd548e76e0b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f948c2c2-e83b-4f32-aaab-acb740cf74e3": {
+ "columnOrder": [
+ "11ccc892-90c4-4cfa-9c5e-821d584dabcc",
+ "d8077715-92a4-46cb-8baa-471f429e0fd4",
+ "2915bf68-6254-470e-b565-bf1597c1d345"
+ ],
+ "columns": {
+ "11ccc892-90c4-4cfa-9c5e-821d584dabcc": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": false,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "2915bf68-6254-470e-b565-bf1597c1d345": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d8077715-92a4-46cb-8baa-471f429e0fd4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2915bf68-6254-470e-b565-bf1597c1d345",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 15
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "9863d407-89f7-419e-ac97-2dd548e76e0b",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4720",
+ "4722",
+ "4723",
+ "4724",
+ "4725",
+ "4726",
+ "4738",
+ "4740",
+ "4767",
+ "4781",
+ "4798"
+ ],
+ "type": "phrases",
+ "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4720"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4722"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4723"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4724"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4725"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4726"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4738"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4740"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4767"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4781"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4798"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "curveType": "LINEAR",
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": -90
+ },
+ "layers": [
+ {
+ "accessors": [
+ "2915bf68-6254-470e-b565-bf1597c1d345"
+ ],
+ "isHistogram": true,
+ "layerId": "f948c2c2-e83b-4f32-aaab-acb740cf74e3",
+ "layerType": "data",
+ "seriesType": "bar_stacked",
+ "simpleView": false,
+ "splitAccessor": "d8077715-92a4-46cb-8baa-471f429e0fd4",
+ "xAccessor": "11ccc892-90c4-4cfa-9c5e-821d584dabcc",
+ "xScaleType": "time",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "2915bf68-6254-470e-b565-bf1597c1d345"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "showCurrentTimeMarker": false,
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": false,
+ "yLeftExtent": {
+ "enforce": true,
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightScale": "linear",
+ "yTitle": "Count"
+ }
+ },
+ "title": "Event Distribution in time [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 23,
+ "i": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa",
+ "w": 21,
+ "x": 27,
+ "y": 49
+ },
+ "panelIndex": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa",
+ "title": "Event Distribution in time [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4a1f13e9-c9c4-44b2-b9dc-ce205372ca10": {
+ "columnOrder": [
+ "64cc5931-61bd-44b8-b16c-5054d276ae0e"
+ ],
+ "columns": {
+ "64cc5931-61bd-44b8-b16c-5054d276ae0e": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4725\")"
+ },
+ "isBucketed": false,
+ "label": "Users Disabled",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-4a1f13e9-c9c4-44b2-b9dc-ce205372ca10",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "64cc5931-61bd-44b8-b16c-5054d276ae0e",
+ "colorMode": "Background",
+ "layerId": "4a1f13e9-c9c4-44b2-b9dc-ce205372ca10",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#209280",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#209280",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "bd1b0e6a-ed99-423d-8a51-29456ec74e0e",
+ "w": 9,
+ "x": 0,
+ "y": 72
+ },
+ "panelIndex": "bd1b0e6a-ed99-423d-8a51-29456ec74e0e",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f0a07f86-9bd8-4a78-a711-4a9e7addd049": {
+ "columnOrder": [
+ "f98f0911-786f-45d8-a808-8c2f20f07313"
+ ],
+ "columns": {
+ "f98f0911-786f-45d8-a808-8c2f20f07313": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code: \"4767\""
+ },
+ "isBucketed": false,
+ "label": "Users Unlocks",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-f0a07f86-9bd8-4a78-a711-4a9e7addd049",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "f98f0911-786f-45d8-a808-8c2f20f07313",
+ "colorMode": "Background",
+ "layerId": "f0a07f86-9bd8-4a78-a711-4a9e7addd049",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#209280",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#209280",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "16030d60-0638-4c98-8bc5-0d8c4bf43a0c",
+ "w": 9,
+ "x": 9,
+ "y": 72
+ },
+ "panelIndex": "16030d60-0638-4c98-8bc5-0d8c4bf43a0c",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "71d71f2b-1120-4e6e-b3cf-c5dc99a1860f": {
+ "columnOrder": [
+ "101426f1-a447-42fb-8a21-203065dd42c5"
+ ],
+ "columns": {
+ "101426f1-a447-42fb-8a21-203065dd42c5": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code: \"4723\" OR event.code: \"4724\""
+ },
+ "isBucketed": false,
+ "label": "Password Changes/Reset",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-71d71f2b-1120-4e6e-b3cf-c5dc99a1860f",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "101426f1-a447-42fb-8a21-203065dd42c5",
+ "colorMode": "Background",
+ "layerId": "71d71f2b-1120-4e6e-b3cf-c5dc99a1860f",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "9c593d0d-c730-4277-ae74-ac3134055800",
+ "w": 9,
+ "x": 18,
+ "y": 72
+ },
+ "panelIndex": "9c593d0d-c730-4277-ae74-ac3134055800",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "afbadb03-16b7-407f-af63-f2e4a851e785": {
+ "columnOrder": [
+ "1094c3d6-772d-435d-b002-698f1320d162"
+ ],
+ "columns": {
+ "1094c3d6-772d-435d-b002-698f1320d162": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4740\")"
+ },
+ "isBucketed": false,
+ "label": "Users Locked Out",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-afbadb03-16b7-407f-af63-f2e4a851e785",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "1094c3d6-772d-435d-b002-698f1320d162",
+ "colorMode": "Background",
+ "layerId": "afbadb03-16b7-407f-af63-f2e4a851e785",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#808080",
+ "stop": 0
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 0
+ },
+ {
+ "color": "#808080",
+ "stop": 1
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "0f1cf1e8-0798-464b-b18a-0dd1ae19d36f",
+ "w": 9,
+ "x": 0,
+ "y": 95
+ },
+ "panelIndex": "0f1cf1e8-0798-464b-b18a-0dd1ae19d36f",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "92862cde-d2fe-4d8a-87ba-d2e86f3751c7": {
+ "columnOrder": [
+ "2a0b322c-fbee-472a-aea7-86cc0bb9a3e6"
+ ],
+ "columns": {
+ "2a0b322c-fbee-472a-aea7-86cc0bb9a3e6": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code: \"4781\""
+ },
+ "isBucketed": false,
+ "label": "Users Renamed",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-92862cde-d2fe-4d8a-87ba-d2e86f3751c7",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "2a0b322c-fbee-472a-aea7-86cc0bb9a3e6",
+ "colorMode": "Background",
+ "layerId": "92862cde-d2fe-4d8a-87ba-d2e86f3751c7",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#808080",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#808080",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "ca7947ea-7c33-4ef7-acfb-51df31226ea0",
+ "w": 9,
+ "x": 9,
+ "y": 95
+ },
+ "panelIndex": "ca7947ea-7c33-4ef7-acfb-51df31226ea0",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f3ab0f05-2e4c-4794-a430-81d0f4f2585c": {
+ "columnOrder": [
+ "2c0aee5b-6685-49c3-8a07-4b4858303bdf"
+ ],
+ "columns": {
+ "2c0aee5b-6685-49c3-8a07-4b4858303bdf": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code: \"4738\""
+ },
+ "isBucketed": false,
+ "label": "Users Changes",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-f3ab0f05-2e4c-4794-a430-81d0f4f2585c",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "2c0aee5b-6685-49c3-8a07-4b4858303bdf",
+ "colorMode": "Background",
+ "layerId": "f3ab0f05-2e4c-4794-a430-81d0f4f2585c",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "38e91c86-1d3e-4342-b8cc-e95031dbf1b7",
+ "w": 9,
+ "x": 18,
+ "y": 95
+ },
+ "panelIndex": "38e91c86-1d3e-4342-b8cc-e95031dbf1b7",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[System Windows Security] User Management Events",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-71f720f0-ff18-11e9-8405-516218e3d268",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3:indexpattern-datasource-layer-2d2094c7-e57e-4a12-88ad-50291d81a64b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3:ee7f0132-6cba-4ea8-80ea-50bddb3c588e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5:indexpattern-datasource-layer-95473519-9e23-4ab1-acb8-3212f69ea3b5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5:f8e3cf39-b76f-4658-af4f-c9c915ba6ba6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6:indexpattern-datasource-layer-dc37e882-6f66-420e-a41d-17176340e1fc",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6:87383246-3af7-4da7-bf25-da8b92485bf4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7:indexpattern-datasource-layer-5ef7cf84-7e34-4c90-afe6-2a3bc54f9e62",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7:2974422c-1f81-4077-9f55-a01a8b045f56",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9:indexpattern-datasource-layer-f8300e3b-29eb-46f6-a509-9bd4b4b2f8ec",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9:8726b1f3-6de9-4d3f-8ac6-c47b378bdcb2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "15:indexpattern-datasource-layer-8ee3da48-29cf-4b5a-b9be-ede6e7f10f54",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "15:6d7d0e01-edd7-4907-a80b-65abcdd357ca",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "16:indexpattern-datasource-layer-5ffb434e-0578-45fe-bbc8-01893ae2f867",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "16:d72b2685-a2ee-4c6d-bf7f-70cdfad9817e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "20:indexpattern-datasource-layer-7868e85e-6ff2-4087-8bd9-7d22da031e24",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "20:84460bff-f94b-4d8b-a166-5ab188df891c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-7e178c80-fee1-11e9-8405-516218e3d268",
+ "name": "22:panel_22",
+ "type": "search"
+ },
+ {
+ "id": "system-324686c0-fefb-11e9-8405-516218e3d268",
+ "name": "23:panel_23",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "33:indexpattern-datasource-layer-c613d393-dc99-42e4-a4f0-afb124b56634",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "33:642679d4-cdd9-44fe-9723-862f94ee2256",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a2871661-98a8-489b-b615-e66ebe3b971a:indexpattern-datasource-layer-5cfa8804-5c32-451e-a9ef-ab4f2f5ea013",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a2871661-98a8-489b-b615-e66ebe3b971a:1cdd7bfd-1207-485b-9fbc-a80cafd98b00",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6:indexpattern-datasource-layer-49665402-a64a-44e2-b251-976e50a5c030",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6:7e29a9cf-64d5-426d-b6aa-8808264a7496",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "44697eb7-bb8e-4994-9e1b-95599f1b994a:indexpattern-datasource-layer-e1805dcb-7ae9-4b50-b201-34f1337a8c57",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "29f54335-78db-4c49-a3e0-a641fd0099f6:indexpattern-datasource-layer-81502bd7-7787-49aa-a890-24912feb1796",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "29f54335-78db-4c49-a3e0-a641fd0099f6:2434c52c-2206-4a9f-9d0c-c4d6ec7b7854",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa:indexpattern-datasource-layer-f948c2c2-e83b-4f32-aaab-acb740cf74e3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa:9863d407-89f7-419e-ac97-2dd548e76e0b",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/test/packages/parallel/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json
new file mode 100644
index 000000000..cde4f402c
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json
@@ -0,0 +1,4616 @@
+{
+ "attributes": {
+ "description": "Overview of host metrics",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "optionsJSON": {
+ "darkTheme": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "## Host overview\n\nTo select another host, either go back to [System Overview](#/dashboard/system-Metrics-system-overview) or select a host from the dropdown at the top below the search bar",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 5,
+ "i": "fcb53f5b-0e6b-41c8-ae1c-e2aafdeaff5a",
+ "w": 48,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "fcb53f5b-0e6b-41c8-ae1c-e2aafdeaff5a",
+ "title": "System Navigation [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.network"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.network"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "0e346760-1b92-11e7-bec4-a5e9ec5cab8b"
+ }
+ ],
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "lucene",
+ "query": "-system.network.name:l*"
+ },
+ "hide_last_value_indicator": true,
+ "id": "0c761590-1b92-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "0c761591-1b92-11e7-bec4-a5e9ec5cab8b",
+ "label": "Outbound Traffic",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.out.bytes",
+ "id": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "max"
+ },
+ {
+ "field": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "field": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "f2074f70-1b92-11e7-a416-41f5ccdba2e6",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "function": "sum",
+ "id": "a1737470-2c55-11e7-a0ad-277ce466684d",
+ "type": "series_agg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}/s"
+ },
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "37f70440-1b92-11e7-bec4-a5e9ec5cab8b",
+ "label": "Total Transferred",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.out.bytes",
+ "id": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "max"
+ },
+ {
+ "field": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "derivative",
+ "unit": ""
+ },
+ {
+ "field": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "field": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6",
+ "function": "overall_sum",
+ "id": "3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b",
+ "sigma": "",
+ "type": "series_agg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "metric",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 9,
+ "i": "6fd34c50-53a3-4919-b7c5-aba460f0fe6d",
+ "w": 12,
+ "x": 36,
+ "y": 5
+ },
+ "panelIndex": "6fd34c50-53a3-4919-b7c5-aba460f0fe6d",
+ "title": "Outbound Traffic [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.cpu"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.cpu"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.cpu\""
+ },
+ "gauge_color_rules": [
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "gauge": "rgba(214,191,87,1)",
+ "id": "e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "gauge": "rgba(204,86,66,1)",
+ "id": "ec655040-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "860f8db7-6191-4519-8d2a-c51f2a95c2bc",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_max": "1",
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b",
+ "label": "CPU Usage",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.cpu.total.norm.pct",
+ "id": "4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b",
+ "type": "avg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 9,
+ "i": "d0a6fc45-278c-427e-a440-eec3ec3ce367",
+ "w": 12,
+ "x": 0,
+ "y": 5
+ },
+ "panelIndex": "d0a6fc45-278c-427e-a440-eec3ec3ce367",
+ "title": "CPU Usage Gauge [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.memory"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.memory\""
+ },
+ "gauge_color_rules": [
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "gauge": "rgba(214,191,87,1)",
+ "id": "b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "gauge": "rgba(204,86,66,1)",
+ "id": "c06e9550-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "4bbf6453-9bd4-4ab7-aa12-5a7ed6306651",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_max": "1",
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "9f51b730-1b91-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "9f51b731-1b91-11e7-bec4-a5e9ec5cab8b",
+ "label": "Memory Usage",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.memory.actual.used.pct",
+ "id": "9f51b732-1b91-11e7-bec4-a5e9ec5cab8b",
+ "type": "avg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 9,
+ "i": "e50a72f5-160a-4694-8f44-2e6da666b90b",
+ "w": 12,
+ "x": 12,
+ "y": 5
+ },
+ "panelIndex": "e50a72f5-160a-4694-8f44-2e6da666b90b",
+ "title": "Memory Usage Gauge [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.load"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.load"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "feefabd0-1b90-11e7-bec4-a5e9ec5cab8b"
+ }
+ ],
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "id": "ffd94880-1b90-11e7-bec4-a5e9ec5cab8b"
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(32,146,128,1)",
+ "fill": 0.5,
+ "formatter": "number",
+ "id": "fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b",
+ "label": "5m Load",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.load.5",
+ "id": "fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b",
+ "type": "avg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 9,
+ "i": "baca3f6a-498a-4752-8882-1d8906d06405",
+ "w": 12,
+ "x": 24,
+ "y": 5
+ },
+ "panelIndex": "baca3f6a-498a-4752-8882-1d8906d06405",
+ "title": "Load Gauge [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.network"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.network"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "0e346760-1b92-11e7-bec4-a5e9ec5cab8b"
+ }
+ ],
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "lucene",
+ "query": "-system.network.name:l*"
+ },
+ "hide_last_value_indicator": true,
+ "id": "0c761590-1b92-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "0c761591-1b92-11e7-bec4-a5e9ec5cab8b",
+ "label": "Inbound Traffic",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.in.bytes",
+ "id": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "max"
+ },
+ {
+ "field": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "field": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "f2074f70-1b92-11e7-a416-41f5ccdba2e6",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "function": "sum",
+ "id": "c40e18f0-2c55-11e7-a0ad-277ce466684d",
+ "type": "series_agg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}/s"
+ },
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "37f70440-1b92-11e7-bec4-a5e9ec5cab8b",
+ "label": "Total Transferred",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.in.bytes",
+ "id": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "max"
+ },
+ {
+ "field": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "derivative",
+ "unit": ""
+ },
+ {
+ "field": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "field": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6",
+ "function": "overall_sum",
+ "id": "3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b",
+ "sigma": "",
+ "type": "series_agg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "metric",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 8,
+ "i": "02993ece-9e84-4957-9780-a89d1cfef103",
+ "w": 12,
+ "x": 36,
+ "y": 14
+ },
+ "panelIndex": "02993ece-9e84-4957-9780-a89d1cfef103",
+ "title": "Inbound Traffic [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-9f6d8570-52c1-4af2-a105-b9993b2e8b5c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "04b54a98-baa0-43a7-aaa8-ace6b600ff4b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9f6d8570-52c1-4af2-a105-b9993b2e8b5c": {
+ "columnOrder": [
+ "314b8c49-2a3b-464b-bc85-ab7e098fd510",
+ "314b8c49-2a3b-464b-bc85-ab7e098fd510X0"
+ ],
+ "columns": {
+ "314b8c49-2a3b-464b-bc85-ab7e098fd510": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Processes",
+ "operationType": "formula",
+ "params": {
+ "formula": "unique_count(process.pid)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "314b8c49-2a3b-464b-bc85-ab7e098fd510X0"
+ ],
+ "scale": "ratio"
+ },
+ "314b8c49-2a3b-464b-bc85-ab7e098fd510X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Processes",
+ "operationType": "unique_count",
+ "scale": "ratio",
+ "sourceField": "process.pid"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "04b54a98-baa0-43a7-aaa8-ace6b600ff4b",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.process"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.process"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "314b8c49-2a3b-464b-bc85-ab7e098fd510",
+ "layerId": "9f6d8570-52c1-4af2-a105-b9993b2e8b5c",
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 8,
+ "i": "17f54fe4-ae84-4319-97fd-069225d0a8fb",
+ "w": 12,
+ "x": 0,
+ "y": 14
+ },
+ "panelIndex": "17f54fe4-ae84-4319-97fd-069225d0a8fb",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.memory"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "6f7618b0-4d5c-11e7-aa29-87a97a796de6"
+ }
+ ],
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.memory\""
+ },
+ "hide_last_value_indicator": true,
+ "id": "6bc65720-4d5c-11e7-aa29-87a97a796de6",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "6bc65721-4d5c-11e7-aa29-87a97a796de6",
+ "label": "Memory usage",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.memory.actual.used.bytes",
+ "id": "6bc65722-4d5c-11e7-aa29-87a97a796de6",
+ "type": "avg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ },
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "b8fe6820-4d5c-11e7-aa29-87a97a796de6",
+ "label": "Total Memory",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.memory.total",
+ "id": "b8fe6821-4d5c-11e7-aa29-87a97a796de6",
+ "type": "avg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "metric",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 8,
+ "i": "79d36896-445a-4904-ad18-e0234fd9ca3f",
+ "w": 12,
+ "x": 12,
+ "y": 14
+ },
+ "panelIndex": "79d36896-445a-4904-ad18-e0234fd9ca3f",
+ "title": "Memory usage vs total [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.fsstat"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.fsstat"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.fsstat\""
+ },
+ "gauge_color_rules": [
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "51921d10-4d1d-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "gauge": "rgba(214,191,87,1)",
+ "id": "f26de750-4d54-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "gauge": "rgba(204,86,66,1)",
+ "id": "fa31d190-4d54-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "79158349-1f03-4701-8ecc-c882c2b13ff3",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_max": "1",
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32",
+ "label": "Disk used",
+ "line_width": 1,
+ "metrics": [
+ {
+ "agg_with": "avg",
+ "field": "system.fsstat.total_size.used",
+ "id": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32",
+ "order": "desc",
+ "order_by": "@timestamp",
+ "size": 1,
+ "type": "top_hit"
+ },
+ {
+ "agg_with": "avg",
+ "field": "system.fsstat.total_size.total",
+ "id": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32",
+ "order": "desc",
+ "order_by": "@timestamp",
+ "size": 1,
+ "type": "top_hit"
+ },
+ {
+ "id": "6304cca0-4d54-11e7-b5f2-2b7c1895bf32",
+ "script": "params.used/params.total ",
+ "type": "math",
+ "variables": [
+ {
+ "field": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32",
+ "id": "6da10430-4d54-11e7-b5f2-2b7c1895bf32",
+ "name": "used"
+ },
+ {
+ "field": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32",
+ "id": "73b8c510-4d54-11e7-b5f2-2b7c1895bf32",
+ "name": "total"
+ }
+ ]
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 8,
+ "i": "81d645ce-9d97-499f-9117-b3e662caee53",
+ "w": 12,
+ "x": 24,
+ "y": 14
+ },
+ "panelIndex": "81d645ce-9d97-499f-9117-b3e662caee53",
+ "title": "Disk Used [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### CPU",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 3,
+ "i": "958f18a3-3163-4d3b-a9ba-b917c5528f79",
+ "w": 48,
+ "x": 0,
+ "y": 22
+ },
+ "panelIndex": "958f18a3-3163-4d3b-a9ba-b917c5528f79",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "4a1e24c8-23cf-41d6-805c-b73aac7e9531",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7e73c5a0-687d-49a1-9431-d445b9698b64": {
+ "columnOrder": [
+ "f4b209b5-853c-44ef-9bb2-abbbaa5612ef",
+ "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "09875540-a6e2-4509-a801-eca27e129cf5"
+ ],
+ "columns": {
+ "09875540-a6e2-4509-a801-eca27e129cf5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Last value",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "process.cpu.pct"
+ },
+ "c9120817-6c14-43d9-9cc7-14aa03a27634": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "process.cpu.pct"
+ },
+ "f4b209b5-853c-44ef-9bb2-abbbaa5612ef": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Process",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "process.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "4a1e24c8-23cf-41d6-805c-b73aac7e9531",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.process"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.process"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": "process.cpu.pct: *"
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "f4b209b5-853c-44ef-9bb2-abbbaa5612ef"
+ },
+ {
+ "colorMode": "cell",
+ "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "palette": {
+ "name": "positive",
+ "params": {
+ "continuity": "above",
+ "name": "positive",
+ "rangeMax": null,
+ "rangeMin": 0,
+ "reverse": false,
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 0
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 20
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 40
+ },
+ {
+ "color": "#5aa898",
+ "stop": 60
+ },
+ {
+ "color": "#209280",
+ "stop": 80
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "width": 88
+ },
+ {
+ "colorMode": "cell",
+ "columnId": "09875540-a6e2-4509-a801-eca27e129cf5",
+ "isTransposed": false,
+ "palette": {
+ "name": "positive",
+ "params": {
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 20
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 40
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 60
+ },
+ {
+ "color": "#5aa898",
+ "stop": 80
+ },
+ {
+ "color": "#209280",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "width": 102.5
+ }
+ ],
+ "layerId": "7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "b479c652-8d38-47ed-8599-be33592ebffe",
+ "w": 11,
+ "x": 0,
+ "y": 25
+ },
+ "panelIndex": "b479c652-8d38-47ed-8599-be33592ebffe",
+ "title": "Top Processes by CPU Usage",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-8da587a6-a617-4bd4-9ae5-dffb9c6343f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "497fbd26-58ef-4073-ac3f-024ba1789d9a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8da587a6-a617-4bd4-9ae5-dffb9c6343f8": {
+ "columnOrder": [
+ "75bae7c5-d933-4999-ab28-05ccff25a382",
+ "5572d1db-8760-4518-aaeb-33e6843a17c6",
+ "f0a4086c-3976-47bb-b67a-2f73c8ed1f03",
+ "ca53d73b-1fbb-4864-8c6a-c71cc6e64aba",
+ "11e92f7e-a84a-4ce7-a97a-a31729fa5835",
+ "0eb945ae-3601-40ce-8951-3aeed0555712",
+ "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bd",
+ "5572d1db-8760-4518-aaeb-33e6843a17c6X0",
+ "f0a4086c-3976-47bb-b67a-2f73c8ed1f03X0",
+ "ca53d73b-1fbb-4864-8c6a-c71cc6e64abaX0",
+ "11e92f7e-a84a-4ce7-a97a-a31729fa5835X0",
+ "0eb945ae-3601-40ce-8951-3aeed0555712X0",
+ "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bdX0"
+ ],
+ "columns": {
+ "0eb945ae-3601-40ce-8951-3aeed0555712": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "softirq",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "average(system.cpu.softirq.norm.pct)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "0eb945ae-3601-40ce-8951-3aeed0555712X0"
+ ],
+ "scale": "ratio"
+ },
+ "0eb945ae-3601-40ce-8951-3aeed0555712X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of softirq",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.cpu.softirq.norm.pct"
+ },
+ "11e92f7e-a84a-4ce7-a97a-a31729fa5835": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "irq",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "average(system.cpu.irq.norm.pct)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "11e92f7e-a84a-4ce7-a97a-a31729fa5835X0"
+ ],
+ "scale": "ratio"
+ },
+ "11e92f7e-a84a-4ce7-a97a-a31729fa5835X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of irq",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.cpu.irq.norm.pct"
+ },
+ "5572d1db-8760-4518-aaeb-33e6843a17c6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "user",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "average(system.cpu.user.norm.pct)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "5572d1db-8760-4518-aaeb-33e6843a17c6X0"
+ ],
+ "scale": "ratio"
+ },
+ "5572d1db-8760-4518-aaeb-33e6843a17c6X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of user",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.cpu.user.norm.pct"
+ },
+ "75bae7c5-d933-4999-ab28-05ccff25a382": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bd": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "iowait",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "average(system.cpu.iowait.norm.pct)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bdX0"
+ ],
+ "scale": "ratio"
+ },
+ "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bdX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of iowait",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.cpu.iowait.norm.pct"
+ },
+ "ca53d73b-1fbb-4864-8c6a-c71cc6e64aba": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "nice",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "average(system.cpu.nice.norm.pct)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "ca53d73b-1fbb-4864-8c6a-c71cc6e64abaX0"
+ ],
+ "scale": "ratio"
+ },
+ "ca53d73b-1fbb-4864-8c6a-c71cc6e64abaX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of nice",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.cpu.nice.norm.pct"
+ },
+ "f0a4086c-3976-47bb-b67a-2f73c8ed1f03": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "system",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "average(system.cpu.system.norm.pct)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "f0a4086c-3976-47bb-b67a-2f73c8ed1f03X0"
+ ],
+ "scale": "ratio"
+ },
+ "f0a4086c-3976-47bb-b67a-2f73c8ed1f03X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of system",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.cpu.system.norm.pct"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "497fbd26-58ef-4073-ac3f-024ba1789d9a",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.cpu"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.cpu"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "hideEndzones": true,
+ "layers": [
+ {
+ "accessors": [
+ "5572d1db-8760-4518-aaeb-33e6843a17c6",
+ "f0a4086c-3976-47bb-b67a-2f73c8ed1f03",
+ "ca53d73b-1fbb-4864-8c6a-c71cc6e64aba",
+ "11e92f7e-a84a-4ce7-a97a-a31729fa5835",
+ "0eb945ae-3601-40ce-8951-3aeed0555712",
+ "b17f720c-5d06-4ba6-8390-8ffbd8b3d4bd"
+ ],
+ "layerId": "8da587a6-a617-4bd4-9ae5-dffb9c6343f8",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "75bae7c5-d933-4999-ab28-05ccff25a382"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "43ee6ea2-797b-4ef6-83da-c81b9594f694",
+ "w": 19,
+ "x": 11,
+ "y": 25
+ },
+ "panelIndex": "43ee6ea2-797b-4ef6-83da-c81b9594f694",
+ "title": "CPU Usage",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-60c0e8b2-20ab-4451-87a6-5a7d2241ccb0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "d251cb14-5566-4617-b12d-9d587f9c11a8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "60c0e8b2-20ab-4451-87a6-5a7d2241ccb0": {
+ "columnOrder": [
+ "ddc223d8-7456-4545-957d-3cad10a34329",
+ "c4d344af-62bd-4678-baf6-542cc91acb73",
+ "9935f59e-9e3b-4ae1-b2c7-1c303403def8",
+ "da273a36-6477-4984-a0e9-e71cf17c561c",
+ "c4d344af-62bd-4678-baf6-542cc91acb73X0",
+ "9935f59e-9e3b-4ae1-b2c7-1c303403def8X0",
+ "da273a36-6477-4984-a0e9-e71cf17c561cX0"
+ ],
+ "columns": {
+ "9935f59e-9e3b-4ae1-b2c7-1c303403def8": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "5m",
+ "operationType": "formula",
+ "params": {
+ "formula": "average(system.load.5)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "9935f59e-9e3b-4ae1-b2c7-1c303403def8X0"
+ ],
+ "scale": "ratio"
+ },
+ "9935f59e-9e3b-4ae1-b2c7-1c303403def8X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of 5m",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.load.5"
+ },
+ "c4d344af-62bd-4678-baf6-542cc91acb73": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "1m",
+ "operationType": "formula",
+ "params": {
+ "formula": "average(system.load.1)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "c4d344af-62bd-4678-baf6-542cc91acb73X0"
+ ],
+ "scale": "ratio"
+ },
+ "c4d344af-62bd-4678-baf6-542cc91acb73X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of 1m",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.load.1"
+ },
+ "da273a36-6477-4984-a0e9-e71cf17c561c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "15m",
+ "operationType": "formula",
+ "params": {
+ "formula": "average(system.load.15)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "da273a36-6477-4984-a0e9-e71cf17c561cX0"
+ ],
+ "scale": "ratio"
+ },
+ "da273a36-6477-4984-a0e9-e71cf17c561cX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of 15m",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.load.15"
+ },
+ "ddc223d8-7456-4545-957d-3cad10a34329": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d251cb14-5566-4617-b12d-9d587f9c11a8",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.load"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.load"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "c4d344af-62bd-4678-baf6-542cc91acb73",
+ "9935f59e-9e3b-4ae1-b2c7-1c303403def8",
+ "da273a36-6477-4984-a0e9-e71cf17c561c"
+ ],
+ "layerId": "60c0e8b2-20ab-4451-87a6-5a7d2241ccb0",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "ddc223d8-7456-4545-957d-3cad10a34329",
+ "yConfig": [
+ {
+ "color": "#209280",
+ "forAccessor": "c4d344af-62bd-4678-baf6-542cc91acb73"
+ },
+ {
+ "color": "#77b6a8",
+ "forAccessor": "9935f59e-9e3b-4ae1-b2c7-1c303403def8"
+ },
+ {
+ "color": "#bbdad3",
+ "forAccessor": "da273a36-6477-4984-a0e9-e71cf17c561c"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "dcf35812-283d-4cc7-b7bb-76419f5231fc",
+ "w": 18,
+ "x": 30,
+ "y": 25
+ },
+ "panelIndex": "dcf35812-283d-4cc7-b7bb-76419f5231fc",
+ "title": "System load",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Memory",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 3,
+ "i": "0aa7a83d-82f4-46d2-9e9e-10f2e63c7575",
+ "w": 48,
+ "x": 0,
+ "y": 40
+ },
+ "panelIndex": "0aa7a83d-82f4-46d2-9e9e-10f2e63c7575",
+ "title": "",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "45f7e45b-a19f-471f-9437-d2cdb13e836d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7e73c5a0-687d-49a1-9431-d445b9698b64": {
+ "columnOrder": [
+ "f4b209b5-853c-44ef-9bb2-abbbaa5612ef",
+ "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "1e8576bb-67d1-458a-973f-144560cc3cfd"
+ ],
+ "columns": {
+ "1e8576bb-67d1-458a-973f-144560cc3cfd": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Last value",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "system.process.memory.rss.pct"
+ },
+ "c9120817-6c14-43d9-9cc7-14aa03a27634": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "system.process.memory.rss.pct"
+ },
+ "f4b209b5-853c-44ef-9bb2-abbbaa5612ef": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Process",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "process.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "45f7e45b-a19f-471f-9437-d2cdb13e836d",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.process"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.process"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": "system.process.memory.rss.pct: *"
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "f4b209b5-853c-44ef-9bb2-abbbaa5612ef"
+ },
+ {
+ "colorMode": "cell",
+ "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "palette": {
+ "name": "positive",
+ "params": {
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 20
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 40
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 60
+ },
+ {
+ "color": "#5aa898",
+ "stop": 80
+ },
+ {
+ "color": "#209280",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "width": 85
+ },
+ {
+ "colorMode": "cell",
+ "columnId": "1e8576bb-67d1-458a-973f-144560cc3cfd",
+ "isTransposed": false,
+ "palette": {
+ "name": "positive",
+ "params": {
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 20
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 40
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 60
+ },
+ {
+ "color": "#5aa898",
+ "stop": 80
+ },
+ {
+ "color": "#209280",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "width": 97.5
+ }
+ ],
+ "layerId": "7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "5be13ea6-48db-4fc3-8213-20e4736be04e",
+ "w": 11,
+ "x": 0,
+ "y": 43
+ },
+ "panelIndex": "5be13ea6-48db-4fc3-8213-20e4736be04e",
+ "title": "Top Processes by Memory Usage",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b517c683-82f8-48e6-bfce-ee0568c45958",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "2044f8ca-61ce-4e33-8768-0c31694a5c76",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b517c683-82f8-48e6-bfce-ee0568c45958": {
+ "columnOrder": [
+ "37a9160d-30f4-4aee-80b0-4fba3b047938",
+ "ac2bf785-8ec5-4d8c-b83d-7aaeac97c8f1",
+ "807db5e3-119b-46e9-8361-b97d04e78d09",
+ "807db5e3-119b-46e9-8361-b97d04e78d09X0",
+ "807db5e3-119b-46e9-8361-b97d04e78d09X1",
+ "807db5e3-119b-46e9-8361-b97d04e78d09X2",
+ "6731f7a3-a13c-40ad-9552-74b2789297df",
+ "6731f7a3-a13c-40ad-9552-74b2789297dfX0"
+ ],
+ "columns": {
+ "37a9160d-30f4-4aee-80b0-4fba3b047938": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "6731f7a3-a13c-40ad-9552-74b2789297df": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Free",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "average(system.memory.free)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "6731f7a3-a13c-40ad-9552-74b2789297dfX0"
+ ],
+ "scale": "ratio"
+ },
+ "6731f7a3-a13c-40ad-9552-74b2789297dfX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Free",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.memory.free"
+ },
+ "807db5e3-119b-46e9-8361-b97d04e78d09": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Cache",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "average(system.memory.used.bytes) - average(system.memory.actual.used.bytes)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "807db5e3-119b-46e9-8361-b97d04e78d09X2"
+ ],
+ "scale": "ratio"
+ },
+ "807db5e3-119b-46e9-8361-b97d04e78d09X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Cache",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.memory.used.bytes"
+ },
+ "807db5e3-119b-46e9-8361-b97d04e78d09X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Cache",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.memory.actual.used.bytes"
+ },
+ "807db5e3-119b-46e9-8361-b97d04e78d09X2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Cache",
+ "operationType": "math",
+ "params": {
+ "tinymathAst": {
+ "args": [
+ "807db5e3-119b-46e9-8361-b97d04e78d09X0",
+ "807db5e3-119b-46e9-8361-b97d04e78d09X1"
+ ],
+ "location": {
+ "max": 76,
+ "min": 0
+ },
+ "name": "subtract",
+ "text": "average(system.memory.used.bytes) - average(system.memory.actual.used.bytes)",
+ "type": "function"
+ }
+ },
+ "references": [
+ "807db5e3-119b-46e9-8361-b97d04e78d09X0",
+ "807db5e3-119b-46e9-8361-b97d04e78d09X1"
+ ],
+ "scale": "ratio"
+ },
+ "ac2bf785-8ec5-4d8c-b83d-7aaeac97c8f1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Used",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "system.memory.actual.used.bytes"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "2044f8ca-61ce-4e33-8768-0c31694a5c76",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.memory"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "hideEndzones": true,
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "ac2bf785-8ec5-4d8c-b83d-7aaeac97c8f1",
+ "807db5e3-119b-46e9-8361-b97d04e78d09",
+ "6731f7a3-a13c-40ad-9552-74b2789297df"
+ ],
+ "layerId": "b517c683-82f8-48e6-bfce-ee0568c45958",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area_stacked",
+ "showGridlines": false,
+ "xAccessor": "37a9160d-30f4-4aee-80b0-4fba3b047938"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "area_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "7138d681-0dc7-4055-a4c5-8395db1aa1e8",
+ "w": 30,
+ "x": 11,
+ "y": 43
+ },
+ "panelIndex": "7138d681-0dc7-4055-a4c5-8395db1aa1e8",
+ "title": "Memory usage",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.memory"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.memory\""
+ },
+ "gauge_color_rules": [
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "d17c1e90-4d59-11e7-aee5-fdc812cc3bec",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "gauge": "rgba(214,191,87,1)",
+ "id": "fc1d3490-4d59-11e7-aee5-fdc812cc3bec",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "gauge": "rgba(204,86,66,1)",
+ "id": "0e204240-4d5a-11e7-aee5-fdc812cc3bec",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "466e9835-712f-469c-8f00-edda88559776",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_max": "",
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "cee2fd20-4d59-11e7-aee5-fdc812cc3bec",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "cee2fd21-4d59-11e7-aee5-fdc812cc3bec",
+ "label": "Swap usage",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.memory.swap.used.pct",
+ "id": "cee2fd22-4d59-11e7-aee5-fdc812cc3bec",
+ "type": "avg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "entire_time_range",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "c2428ef6-13fa-4254-9ab0-6be1c80a82d4",
+ "w": 7,
+ "x": 41,
+ "y": 43
+ },
+ "panelIndex": "c2428ef6-13fa-4254-9ab0-6be1c80a82d4",
+ "title": "Swap usage [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Disk",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 3,
+ "i": "a41333eb-ba79-4557-9819-820de64abdf6",
+ "w": 48,
+ "x": 0,
+ "y": 55
+ },
+ "panelIndex": "a41333eb-ba79-4557-9819-820de64abdf6",
+ "title": "",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "4319b26f-d004-4331-bda3-3d2771c47381",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7e73c5a0-687d-49a1-9431-d445b9698b64": {
+ "columnOrder": [
+ "f4b209b5-853c-44ef-9bb2-abbbaa5612ef",
+ "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "a7e79c34-8ff8-4705-ae1b-5122ca2d2863"
+ ],
+ "columns": {
+ "a7e79c34-8ff8-4705-ae1b-5122ca2d2863": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Last value",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "system.filesystem.used.pct"
+ },
+ "c9120817-6c14-43d9-9cc7-14aa03a27634": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "system.filesystem.used.pct"
+ },
+ "f4b209b5-853c-44ef-9bb2-abbbaa5612ef": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Mountpoint",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "system.filesystem.mount_point"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "4319b26f-d004-4331-bda3-3d2771c47381",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.filesystem"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.filesystem"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": "system.filesystem.used.pct: *"
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "f4b209b5-853c-44ef-9bb2-abbbaa5612ef"
+ },
+ {
+ "colorMode": "cell",
+ "columnId": "c9120817-6c14-43d9-9cc7-14aa03a27634",
+ "palette": {
+ "name": "positive",
+ "params": {
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 20
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 40
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 60
+ },
+ {
+ "color": "#5aa898",
+ "stop": 80
+ },
+ {
+ "color": "#209280",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "width": 88
+ },
+ {
+ "colorMode": "cell",
+ "columnId": "a7e79c34-8ff8-4705-ae1b-5122ca2d2863",
+ "isTransposed": false,
+ "palette": {
+ "name": "positive",
+ "params": {
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 20
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 40
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 60
+ },
+ {
+ "color": "#5aa898",
+ "stop": 80
+ },
+ {
+ "color": "#209280",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "width": 101
+ }
+ ],
+ "layerId": "7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 10,
+ "i": "40c809d8-2728-4ead-a85a-02ac2c3c346e",
+ "w": 11,
+ "x": 0,
+ "y": 58
+ },
+ "panelIndex": "40c809d8-2728-4ead-a85a-02ac2c3c346e",
+ "title": "Top mountpoints by disk usage",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.diskio"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.diskio"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.diskio\""
+ },
+ "id": "d3c67db0-1b1a-11e7-b09e-037021c4f8df",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(84,179,153,1)",
+ "fill": "00.5",
+ "formatter": "bytes",
+ "id": "d3c67db1-1b1a-11e7-b09e-037021c4f8df",
+ "label": "reads",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.diskio.read.bytes",
+ "id": "d3c67db2-1b1a-11e7-b09e-037021c4f8df",
+ "type": "max"
+ },
+ {
+ "field": "d3c67db2-1b1a-11e7-b09e-037021c4f8df",
+ "id": "f55b9910-1b1a-11e7-b09e-037021c4f8df",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "field": "f55b9910-1b1a-11e7-b09e-037021c4f8df",
+ "id": "dcbbb100-1b93-11e7-8ada-3df93aab833e",
+ "type": "positive_only",
+ "unit": ""
+ }
+ ],
+ "palette": {
+ "name": "positive",
+ "type": "palette"
+ },
+ "point_size": "0",
+ "seperate_axis": 0,
+ "split_color_mode": null,
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}/s"
+ },
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(96,146,192,1)",
+ "fill": "00.5",
+ "formatter": "bytes",
+ "id": "144124d0-1b1b-11e7-b09e-037021c4f8df",
+ "label": "writes",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.diskio.write.bytes",
+ "id": "144124d1-1b1b-11e7-b09e-037021c4f8df",
+ "type": "max"
+ },
+ {
+ "field": "144124d1-1b1b-11e7-b09e-037021c4f8df",
+ "id": "144124d2-1b1b-11e7-b09e-037021c4f8df",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "id": "144124d4-1b1b-11e7-b09e-037021c4f8df",
+ "script": "params.rate \u003e 0 ? params.rate * -1 : 0",
+ "type": "calculation",
+ "variables": [
+ {
+ "field": "144124d2-1b1b-11e7-b09e-037021c4f8df",
+ "id": "144124d3-1b1b-11e7-b09e-037021c4f8df",
+ "name": "rate"
+ }
+ ]
+ }
+ ],
+ "palette": {
+ "name": "temperature",
+ "type": "palette"
+ },
+ "point_size": "0",
+ "seperate_axis": 0,
+ "split_color_mode": null,
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}/s"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "entire_time_range",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "timeseries",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 10,
+ "i": "4e2ec836-0e0c-4125-9a0b-be26183c524f",
+ "w": 30,
+ "x": 11,
+ "y": 58
+ },
+ "panelIndex": "4e2ec836-0e0c-4125-9a0b-be26183c524f",
+ "title": "Disk IO",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.fsstat"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.fsstat"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.fsstat\""
+ },
+ "gauge_color_rules": [
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "51921d10-4d1d-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "gauge": "rgba(214,191,87,1)",
+ "id": "f26de750-4d54-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "gauge": "rgba(204,86,66,1)",
+ "id": "fa31d190-4d54-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "79158349-1f03-4701-8ecc-c882c2b13ff3",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_max": "1",
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32",
+ "label": "Disk used",
+ "line_width": 1,
+ "metrics": [
+ {
+ "agg_with": "avg",
+ "field": "system.fsstat.total_size.used",
+ "id": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32",
+ "order": "desc",
+ "order_by": "@timestamp",
+ "size": 1,
+ "type": "top_hit"
+ },
+ {
+ "agg_with": "avg",
+ "field": "system.fsstat.total_size.total",
+ "id": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32",
+ "order": "desc",
+ "order_by": "@timestamp",
+ "size": 1,
+ "type": "top_hit"
+ },
+ {
+ "id": "6304cca0-4d54-11e7-b5f2-2b7c1895bf32",
+ "script": "params.used/params.total ",
+ "type": "math",
+ "variables": [
+ {
+ "field": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32",
+ "id": "6da10430-4d54-11e7-b5f2-2b7c1895bf32",
+ "name": "used"
+ },
+ {
+ "field": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32",
+ "id": "73b8c510-4d54-11e7-b5f2-2b7c1895bf32",
+ "name": "total"
+ }
+ ]
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "entire_time_range",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 10,
+ "i": "fbbc5c65-b8a4-4604-b5bd-072c3c99e4c3",
+ "w": 7,
+ "x": 41,
+ "y": 58
+ },
+ "panelIndex": "fbbc5c65-b8a4-4604-b5bd-072c3c99e4c3",
+ "title": "Disk Used [Metrics System] (copy)",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Network",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 3,
+ "i": "4340cff4-224d-43c0-8e98-8257782236f3",
+ "w": 48,
+ "x": 0,
+ "y": 68
+ },
+ "panelIndex": "4340cff4-224d-43c0-8e98-8257782236f3",
+ "title": "",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.network"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.network"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "0e346760-1b92-11e7-bec4-a5e9ec5cab8b"
+ }
+ ],
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "lucene",
+ "query": "-system.network.name:l*"
+ },
+ "hide_last_value_indicator": true,
+ "id": "0c761590-1b92-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "0c761591-1b92-11e7-bec4-a5e9ec5cab8b",
+ "label": "Inbound Traffic",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.in.bytes",
+ "id": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "max"
+ },
+ {
+ "field": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "field": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "f2074f70-1b92-11e7-a416-41f5ccdba2e6",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "function": "sum",
+ "id": "c40e18f0-2c55-11e7-a0ad-277ce466684d",
+ "type": "series_agg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "value_template": "{{value}}/s"
+ },
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "37f70440-1b92-11e7-bec4-a5e9ec5cab8b",
+ "label": "Total Transferred",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.in.bytes",
+ "id": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "max"
+ },
+ {
+ "field": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "derivative",
+ "unit": ""
+ },
+ {
+ "field": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "field": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6",
+ "function": "overall_sum",
+ "id": "3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b",
+ "sigma": "",
+ "type": "series_agg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "metric",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 8,
+ "i": "00a52be5-9be0-452a-974f-15c2eb08e5a5",
+ "w": 6,
+ "x": 0,
+ "y": 71
+ },
+ "panelIndex": "00a52be5-9be0-452a-974f-15c2eb08e5a5",
+ "title": "Inbound Traffic [Metrics System] (copy)",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.network"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.network"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "6ba9b1f0-4d5d-11e7-aa29-87a97a796de6"
+ }
+ ],
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.network\""
+ },
+ "hide_last_value_indicator": true,
+ "id": "6984af10-4d5d-11e7-aa29-87a97a796de6",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "number",
+ "id": "6984af11-4d5d-11e7-aa29-87a97a796de6",
+ "label": "In Packetloss",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.in.dropped",
+ "id": "6984af12-4d5d-11e7-aa29-87a97a796de6",
+ "type": "max"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "entire_time_range",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "metric",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 8,
+ "i": "8fd9ee13-c94c-44c6-9871-da172760e777",
+ "w": 6,
+ "x": 6,
+ "y": 71
+ },
+ "panelIndex": "8fd9ee13-c94c-44c6-9871-da172760e777",
+ "title": "Packetloss [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.network"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.network"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "0e346760-1b92-11e7-bec4-a5e9ec5cab8b"
+ }
+ ],
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "lucene",
+ "query": "-system.network.name:l*"
+ },
+ "hide_last_value_indicator": true,
+ "id": "0c761590-1b92-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "0c761591-1b92-11e7-bec4-a5e9ec5cab8b",
+ "label": "Outbound Traffic",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.out.bytes",
+ "id": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "max"
+ },
+ {
+ "field": "0c761592-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "field": "1d659060-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "f2074f70-1b92-11e7-a416-41f5ccdba2e6",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "function": "sum",
+ "id": "a1737470-2c55-11e7-a0ad-277ce466684d",
+ "type": "series_agg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "value_template": "{{value}}/s"
+ },
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "bytes",
+ "id": "37f70440-1b92-11e7-bec4-a5e9ec5cab8b",
+ "label": "Total Transferred",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.out.bytes",
+ "id": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "max"
+ },
+ {
+ "field": "37f72b50-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b",
+ "type": "derivative",
+ "unit": ""
+ },
+ {
+ "field": "37f72b51-1b92-11e7-bec4-a5e9ec5cab8b",
+ "id": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "field": "f9da2dd0-1b92-11e7-a416-41f5ccdba2e6",
+ "function": "overall_sum",
+ "id": "3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b",
+ "sigma": "",
+ "type": "series_agg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "metric",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 8,
+ "i": "40931ebc-38d8-4032-949d-246c8b381743",
+ "w": 6,
+ "x": 12,
+ "y": 71
+ },
+ "panelIndex": "40931ebc-38d8-4032-949d-246c8b381743",
+ "title": "Outbound Traffic [Metrics System] (copy)",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.network"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.network"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "6ba9b1f0-4d5d-11e7-aa29-87a97a796de6"
+ }
+ ],
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"system.network\""
+ },
+ "hide_last_value_indicator": true,
+ "id": "6984af10-4d5d-11e7-aa29-87a97a796de6",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "number",
+ "id": "ac2e6b30-4d5d-11e7-aa29-87a97a796de6",
+ "label": "Out Packetloss",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.network.out.dropped",
+ "id": "ac2e6b31-4d5d-11e7-aa29-87a97a796de6",
+ "type": "max"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "entire_time_range",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "metric",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 8,
+ "i": "42625329-6a7b-496e-89e3-2459675bf904",
+ "w": 6,
+ "x": 18,
+ "y": 71
+ },
+ "panelIndex": "42625329-6a7b-496e-89e3-2459675bf904",
+ "title": "Packetloss [Metrics System] (copy)",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "lucene",
+ "query": "-system.network.name:l*"
+ },
+ "id": "da1046f0-faa0-11e6-86b1-cd7735ff7e23",
+ "index_pattern": "*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(111,220,190,1)",
+ "fill": "0.5",
+ "formatter": "0.[00]a",
+ "id": "da1046f1-faa0-11e6-86b1-cd7735ff7e23",
+ "label": "Inbound",
+ "line_width": "01",
+ "metrics": [
+ {
+ "field": "system.network.in.packets",
+ "id": "da1046f2-faa0-11e6-86b1-cd7735ff7e23",
+ "type": "max"
+ },
+ {
+ "field": "da1046f2-faa0-11e6-86b1-cd7735ff7e23",
+ "id": "f41f9280-faa0-11e6-86b1-cd7735ff7e23",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "field": "f41f9280-faa0-11e6-86b1-cd7735ff7e23",
+ "id": "c0da3d80-1b93-11e7-8ada-3df93aab833e",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "function": "sum",
+ "id": "ecaad010-2c2c-11e7-be71-3162da85303f",
+ "type": "series_agg"
+ }
+ ],
+ "palette": {
+ "name": "positive",
+ "type": "palette"
+ },
+ "point_size": "0",
+ "seperate_axis": 0,
+ "split_color_mode": null,
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}/s"
+ },
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(96,146,192,1)",
+ "fill": "00.5",
+ "formatter": "0.[00]a",
+ "id": "fbbd5720-faa0-11e6-86b1-cd7735ff7e23",
+ "label": "Outbound",
+ "line_width": "01",
+ "metrics": [
+ {
+ "field": "system.network.out.packets",
+ "id": "fbbd7e30-faa0-11e6-86b1-cd7735ff7e23",
+ "type": "max"
+ },
+ {
+ "field": "fbbd7e30-faa0-11e6-86b1-cd7735ff7e23",
+ "id": "fbbd7e31-faa0-11e6-86b1-cd7735ff7e23",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "id": "17e597a0-faa1-11e6-86b1-cd7735ff7e23",
+ "script": "params.rate != null \u0026\u0026 params.rate \u003e 0 ? params.rate * -1 : null",
+ "type": "calculation",
+ "variables": [
+ {
+ "field": "fbbd7e31-faa0-11e6-86b1-cd7735ff7e23",
+ "id": "1940bad0-faa1-11e6-86b1-cd7735ff7e23",
+ "name": "rate"
+ }
+ ]
+ },
+ {
+ "function": "sum",
+ "id": "fe5fbdc0-2c2c-11e7-be71-3162da85303f",
+ "type": "series_agg"
+ }
+ ],
+ "palette": {
+ "name": "complimentary",
+ "type": "palette"
+ },
+ "point_size": "0",
+ "seperate_axis": 0,
+ "split_color_mode": null,
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}/s"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "entire_time_range",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "timeseries",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 11,
+ "i": "83789cc1-735e-426f-af14-7feceeb1e3ec",
+ "w": 24,
+ "x": 24,
+ "y": 71
+ },
+ "panelIndex": "83789cc1-735e-426f-af14-7feceeb1e3ec",
+ "title": "Network Traffic (Packets)",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-a9aa67d3-6d5c-40f9-a45d-69410b2a90bb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "0edd5ba7-5679-4903-8b1a-9b52a84763e4",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "a9aa67d3-6d5c-40f9-a45d-69410b2a90bb": {
+ "columnOrder": [
+ "69b78cd3-0694-49cd-92cd-23c27f675523",
+ "bdb2f885-054b-490d-91b8-2685ce22a5f5",
+ "30b47015-4e96-48da-997b-9e9d41984945"
+ ],
+ "columns": {
+ "30b47015-4e96-48da-997b-9e9d41984945": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Outgoing Traffic",
+ "operationType": "max",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "system.network.out.bytes"
+ },
+ "69b78cd3-0694-49cd-92cd-23c27f675523": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Interface",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bdb2f885-054b-490d-91b8-2685ce22a5f5",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "system.network.name"
+ },
+ "bdb2f885-054b-490d-91b8-2685ce22a5f5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Incoming Traffic",
+ "operationType": "max",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "system.network.in.bytes"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "0edd5ba7-5679-4903-8b1a-9b52a84763e4",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.network"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.network"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "69b78cd3-0694-49cd-92cd-23c27f675523",
+ "isTransposed": false
+ },
+ {
+ "colorMode": "cell",
+ "columnId": "bdb2f885-054b-490d-91b8-2685ce22a5f5",
+ "isTransposed": false,
+ "palette": {
+ "name": "positive",
+ "params": {
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 20
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 40
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 60
+ },
+ {
+ "color": "#5aa898",
+ "stop": 80
+ },
+ {
+ "color": "#209280",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "width": 139
+ },
+ {
+ "colorMode": "cell",
+ "columnId": "30b47015-4e96-48da-997b-9e9d41984945",
+ "isTransposed": false,
+ "palette": {
+ "name": "positive",
+ "params": {
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 20
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 40
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 60
+ },
+ {
+ "color": "#5aa898",
+ "stop": 80
+ },
+ {
+ "color": "#209280",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "width": 143.5
+ }
+ ],
+ "layerId": "a9aa67d3-6d5c-40f9-a45d-69410b2a90bb",
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 14,
+ "i": "5eae5b45-6bce-4bbd-9db2-275b45d7d329",
+ "w": 24,
+ "x": 0,
+ "y": 79
+ },
+ "panelIndex": "5eae5b45-6bce-4bbd-9db2-275b45d7d329",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "lucene",
+ "query": "-system.network.name:l*"
+ },
+ "id": "da1046f0-faa0-11e6-86b1-cd7735ff7e23",
+ "index_pattern": "*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(84,179,153,1)",
+ "fill": "00.5",
+ "formatter": "bytes",
+ "id": "da1046f1-faa0-11e6-86b1-cd7735ff7e23",
+ "label": "Inbound ",
+ "line_width": "01",
+ "metrics": [
+ {
+ "field": "system.network.in.bytes",
+ "id": "da1046f2-faa0-11e6-86b1-cd7735ff7e23",
+ "type": "max"
+ },
+ {
+ "field": "da1046f2-faa0-11e6-86b1-cd7735ff7e23",
+ "id": "f41f9280-faa0-11e6-86b1-cd7735ff7e23",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "field": "f41f9280-faa0-11e6-86b1-cd7735ff7e23",
+ "id": "a87398e0-1b93-11e7-8ada-3df93aab833e",
+ "type": "positive_only",
+ "unit": ""
+ },
+ {
+ "function": "sum",
+ "id": "2d533df0-2c2d-11e7-be71-3162da85303f",
+ "type": "series_agg"
+ }
+ ],
+ "palette": {
+ "name": "positive",
+ "type": "palette"
+ },
+ "point_size": "0",
+ "seperate_axis": 0,
+ "split_color_mode": null,
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}/s"
+ },
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(96,146,192,1)",
+ "fill": "00.5",
+ "formatter": "bytes",
+ "id": "fbbd5720-faa0-11e6-86b1-cd7735ff7e23",
+ "label": "Outbound ",
+ "line_width": "01",
+ "metrics": [
+ {
+ "field": "system.network.out.bytes",
+ "id": "fbbd7e30-faa0-11e6-86b1-cd7735ff7e23",
+ "type": "max"
+ },
+ {
+ "field": "fbbd7e30-faa0-11e6-86b1-cd7735ff7e23",
+ "id": "fbbd7e31-faa0-11e6-86b1-cd7735ff7e23",
+ "type": "derivative",
+ "unit": "1s"
+ },
+ {
+ "id": "17e597a0-faa1-11e6-86b1-cd7735ff7e23",
+ "script": "params.rate != null \u0026\u0026 params.rate \u003e 0 ? params.rate * -1 : null",
+ "type": "calculation",
+ "variables": [
+ {
+ "field": "fbbd7e31-faa0-11e6-86b1-cd7735ff7e23",
+ "id": "1940bad0-faa1-11e6-86b1-cd7735ff7e23",
+ "name": "rate"
+ }
+ ]
+ },
+ {
+ "function": "sum",
+ "id": "533da9b0-2c2d-11e7-be71-3162da85303f",
+ "type": "series_agg"
+ }
+ ],
+ "palette": {
+ "name": "complimentary",
+ "type": "palette"
+ },
+ "point_size": "0",
+ "seperate_axis": 0,
+ "split_color_mode": null,
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "system.network.name",
+ "time_range_mode": "entire_time_range",
+ "value_template": "{{value}}/s"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "entire_time_range",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "timeseries",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 11,
+ "i": "701fed8c-da9b-41aa-adab-09f793c3c84f",
+ "w": 24,
+ "x": 24,
+ "y": 82
+ },
+ "panelIndex": "701fed8c-da9b-41aa-adab-09f793c3c84f",
+ "title": "Network Traffic (Bytes)",
+ "type": "visualization",
+ "version": "8.6.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Metrics System] Host overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "6fd34c50-53a3-4919-b7c5-aba460f0fe6d:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "d0a6fc45-278c-427e-a440-eec3ec3ce367:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e50a72f5-160a-4694-8f44-2e6da666b90b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "baca3f6a-498a-4752-8882-1d8906d06405:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "02993ece-9e84-4957-9780-a89d1cfef103:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "17f54fe4-ae84-4319-97fd-069225d0a8fb:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "17f54fe4-ae84-4319-97fd-069225d0a8fb:indexpattern-datasource-layer-9f6d8570-52c1-4af2-a105-b9993b2e8b5c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "17f54fe4-ae84-4319-97fd-069225d0a8fb:04b54a98-baa0-43a7-aaa8-ace6b600ff4b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "79d36896-445a-4904-ad18-e0234fd9ca3f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "81d645ce-9d97-499f-9117-b3e662caee53:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "b479c652-8d38-47ed-8599-be33592ebffe:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "b479c652-8d38-47ed-8599-be33592ebffe:indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "b479c652-8d38-47ed-8599-be33592ebffe:4a1e24c8-23cf-41d6-805c-b73aac7e9531",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "43ee6ea2-797b-4ef6-83da-c81b9594f694:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "43ee6ea2-797b-4ef6-83da-c81b9594f694:indexpattern-datasource-layer-8da587a6-a617-4bd4-9ae5-dffb9c6343f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "43ee6ea2-797b-4ef6-83da-c81b9594f694:497fbd26-58ef-4073-ac3f-024ba1789d9a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "dcf35812-283d-4cc7-b7bb-76419f5231fc:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "dcf35812-283d-4cc7-b7bb-76419f5231fc:indexpattern-datasource-layer-60c0e8b2-20ab-4451-87a6-5a7d2241ccb0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "dcf35812-283d-4cc7-b7bb-76419f5231fc:d251cb14-5566-4617-b12d-9d587f9c11a8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5be13ea6-48db-4fc3-8213-20e4736be04e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5be13ea6-48db-4fc3-8213-20e4736be04e:indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5be13ea6-48db-4fc3-8213-20e4736be04e:45f7e45b-a19f-471f-9437-d2cdb13e836d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "7138d681-0dc7-4055-a4c5-8395db1aa1e8:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "7138d681-0dc7-4055-a4c5-8395db1aa1e8:indexpattern-datasource-layer-b517c683-82f8-48e6-bfce-ee0568c45958",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "7138d681-0dc7-4055-a4c5-8395db1aa1e8:2044f8ca-61ce-4e33-8768-0c31694a5c76",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "c2428ef6-13fa-4254-9ab0-6be1c80a82d4:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "40c809d8-2728-4ead-a85a-02ac2c3c346e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "40c809d8-2728-4ead-a85a-02ac2c3c346e:indexpattern-datasource-layer-7e73c5a0-687d-49a1-9431-d445b9698b64",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "40c809d8-2728-4ead-a85a-02ac2c3c346e:4319b26f-d004-4331-bda3-3d2771c47381",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "4e2ec836-0e0c-4125-9a0b-be26183c524f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "fbbc5c65-b8a4-4604-b5bd-072c3c99e4c3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "00a52be5-9be0-452a-974f-15c2eb08e5a5:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "8fd9ee13-c94c-44c6-9871-da172760e777:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "40931ebc-38d8-4032-949d-246c8b381743:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "42625329-6a7b-496e-89e3-2459675bf904:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5eae5b45-6bce-4bbd-9db2-275b45d7d329:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5eae5b45-6bce-4bbd-9db2-275b45d7d329:indexpattern-datasource-layer-a9aa67d3-6d5c-40f9-a45d-69410b2a90bb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5eae5b45-6bce-4bbd-9db2-275b45d7d329:0edd5ba7-5679-4903-8b1a-9b52a84763e4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-Logs-syslog-dashboard.json b/test/packages/parallel/system/kibana/dashboard/system-Logs-syslog-dashboard.json
new file mode 100644
index 000000000..7e4004c87
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-Logs-syslog-dashboard.json
@@ -0,0 +1,370 @@
+{
+ "attributes": {
+ "description": "Syslog dashboard from the Logs System integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "optionsJSON": {
+ "darkTheme": false
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "columns": [
+ "host.hostname",
+ "process.name",
+ "message"
+ ],
+ "enhancements": {},
+ "sort": [
+ "@timestamp",
+ "desc"
+ ]
+ },
+ "gridData": {
+ "h": 28,
+ "i": "3",
+ "w": 48,
+ "x": 0,
+ "y": 20
+ },
+ "panelIndex": "3",
+ "panelRefName": "panel_3",
+ "type": "search",
+ "version": "8.1.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "[Syslog](#/dashboard/system-Logs-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)"
+ },
+ "title": "Dashboards [Logs System]",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 4,
+ "i": "4",
+ "w": 48,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "4",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true,
+ "used_interval": "30s"
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "host.hostname",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "group",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "detailedTooltip": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {
+ "show": false
+ },
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "mode": "stacked",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "radiusRatio": 0,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "circlesRadius": 1,
+ "data": {
+ "id": "1",
+ "label": "Count"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "stacked",
+ "show": true,
+ "showCircles": true,
+ "type": "histogram",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "shareYAxis": true,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "truncateLegend": true,
+ "type": "histogram",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": true,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": ""
+ },
+ "type": "value"
+ }
+ ],
+ "yAxis": {}
+ },
+ "type": "histogram",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 16,
+ "i": "1c0a80d4-cd4d-488a-a06d-e9b816e733a8",
+ "w": 32,
+ "x": 0,
+ "y": 4
+ },
+ "panelIndex": "1c0a80d4-cd4d-488a-a06d-e9b816e733a8",
+ "title": "Syslog events by hostname [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "field": "host.hostname",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "segment",
+ "type": "terms"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "field": "process.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 5
+ },
+ "schema": "segment",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": []
+ }
+ },
+ "description": "",
+ "params": {
+ "addLegend": true,
+ "addTooltip": true,
+ "distinctColors": true,
+ "emptySizeRatio": 0.3,
+ "isDonut": true,
+ "labels": {
+ "last_level": false,
+ "percentDecimals": 2,
+ "position": "default",
+ "show": true,
+ "truncate": 100,
+ "values": true,
+ "valuesFormat": "percent"
+ },
+ "legendPosition": "bottom",
+ "legendSize": "auto",
+ "maxLegendLines": 1,
+ "nestedLegend": false,
+ "palette": {
+ "name": "kibana_palette",
+ "type": "palette"
+ },
+ "shareYAxis": true,
+ "truncateLegend": true,
+ "type": "pie"
+ },
+ "type": "pie",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 16,
+ "i": "30ce1a8d-6460-45b6-be1a-841db5ca7c8b",
+ "w": 16,
+ "x": 32,
+ "y": 4
+ },
+ "panelIndex": "30ce1a8d-6460-45b6-be1a-841db5ca7c8b",
+ "title": "Syslog hostnames and processes [Logs System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs System] Syslog dashboard",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-Logs-syslog-dashboard",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "system-Syslog-system-logs",
+ "name": "3:panel_3",
+ "type": "search"
+ },
+ {
+ "id": "system-Syslog-system-logs",
+ "name": "1c0a80d4-cd4d-488a-a06d-e9b816e733a8:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-Syslog-system-logs",
+ "name": "30ce1a8d-6460-45b6-be1a-841db5ca7c8b:search_0",
+ "type": "search"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-Metrics-system-overview.json b/test/packages/parallel/system/kibana/dashboard/system-Metrics-system-overview.json
new file mode 100644
index 000000000..dfef489de
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-Metrics-system-overview.json
@@ -0,0 +1,1406 @@
+{
+ "attributes": {
+ "description": "Overview of system metrics",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "optionsJSON": {
+ "darkTheme": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": true,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "# System overview\n\nTo view host details, select a host from the list below by clicking the respective label.",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 6,
+ "i": "471f7546-e704-4a38-a041-d8b11869d7cc",
+ "w": 48,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "471f7546-e704-4a38-a041-d8b11869d7cc",
+ "title": "System Navigation [Metrics System]",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.memory"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "gauge": "rgba(214,191,87,1)",
+ "id": "b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "gauge": "rgba(204,86,66,1)",
+ "id": "c06e9550-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "4bbf6453-9bd4-4ab7-aa12-5a7ed6306651",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_max": "1",
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "9f51b730-1b91-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(84,179,153,1)",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "9f51b731-1b91-11e7-bec4-a5e9ec5cab8b",
+ "label": "Memory Usage",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.memory.actual.used.pct",
+ "id": "9f51b732-1b91-11e7-bec4-a5e9ec5cab8b",
+ "type": "avg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 13,
+ "i": "aa7fddcf-8146-4d85-b3d7-d37a99a5ff32",
+ "w": 9,
+ "x": 0,
+ "y": 6
+ },
+ "panelIndex": "aa7fddcf-8146-4d85-b3d7-d37a99a5ff32",
+ "title": "",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.cpu"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.cpu"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "gauge": "rgba(214,191,87,1)",
+ "id": "e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "gauge": "rgba(204,86,66,1)",
+ "id": "ec655040-1b91-11e7-bec4-a5e9ec5cab8b",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "860f8db7-6191-4519-8d2a-c51f2a95c2bc",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_max": "1",
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b",
+ "label": "CPU Usage",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.cpu.total.norm.pct",
+ "id": "4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b",
+ "type": "avg"
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 13,
+ "i": "9fc7a050-de1b-495b-8ca7-2a852ed5a28c",
+ "w": 9,
+ "x": 9,
+ "y": 6
+ },
+ "panelIndex": "9fc7a050-de1b-495b-8ca7-2a852ed5a28c",
+ "title": "",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.cpu"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.cpu"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "bar_color_rules": [
+ {
+ "bar_color": "rgba(32,146,128,1)",
+ "id": "6131bb70-2938-11ed-a1c4-3f04ff5e1036",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "bar_color": "rgba(214,191,87,1)",
+ "id": "b048c5a0-2938-11ed-a1c4-3f04ff5e1036",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "bar_color": "rgba(204,86,66,1)",
+ "id": "b84aa340-2938-11ed-a1c4-3f04ff5e1036",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "bar_color": "rgba(32,146,128,1)",
+ "id": "c0f1c190-2938-11ed-a1c4-3f04ff5e1036",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "drilldown_url": "../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\"{{key}}\"'))",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "id": "f85dd7f0-6f50-4ca3-b431-a8332b12f516",
+ "index_pattern_ref_name": "metrics_d85621b3-cf7e-4019-83ae-3a1e06d9933f_0_index_pattern",
+ "interval": "",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "0fa4599f-6d53-4f7e-a508-b10debeae3a7",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.cpu.user.norm.pct",
+ "id": "20916733-fe1d-4854-8f60-7da167023e8a",
+ "type": "avg"
+ }
+ ],
+ "override_index_pattern": 0,
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "point_size": 1,
+ "separate_axis": 0,
+ "series_drop_last_bucket": 0,
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "host.name",
+ "terms_order_by": "20916733-fe1d-4854-8f60-7da167023e8a",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "top_n",
+ "use_kibana_indexes": true
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 13,
+ "i": "d85621b3-cf7e-4019-83ae-3a1e06d9933f",
+ "w": 30,
+ "x": 18,
+ "y": 6
+ },
+ "panelIndex": "d85621b3-cf7e-4019-83ae-3a1e06d9933f",
+ "title": "Top Hosts by CPU",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-6a26e3ad-990f-42a2-82fd-f147b1ede3b0",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "6a26e3ad-990f-42a2-82fd-f147b1ede3b0": {
+ "columnOrder": [
+ "6702f512-7df6-4b95-892c-200bafa8bd0e",
+ "6702f512-7df6-4b95-892c-200bafa8bd0eX0"
+ ],
+ "columns": {
+ "6702f512-7df6-4b95-892c-200bafa8bd0e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Hosts",
+ "operationType": "formula",
+ "params": {
+ "formula": "unique_count(host.name)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "6702f512-7df6-4b95-892c-200bafa8bd0eX0"
+ ],
+ "scale": "ratio"
+ },
+ "6702f512-7df6-4b95-892c-200bafa8bd0eX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Hosts",
+ "operationType": "unique_count",
+ "scale": "ratio",
+ "sourceField": "host.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "6702f512-7df6-4b95-892c-200bafa8bd0e",
+ "layerId": "6a26e3ad-990f-42a2-82fd-f147b1ede3b0",
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "f95d2a8f-0ec2-4252-b3e8-8771b9165241",
+ "w": 9,
+ "x": 0,
+ "y": 19
+ },
+ "panelIndex": "f95d2a8f-0ec2-4252-b3e8-8771b9165241",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.fsstat"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.fsstat"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "51921d10-4d1d-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "gauge": "rgba(214,191,87,1)",
+ "id": "f26de750-4d54-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "gauge": "rgba(204,86,66,1)",
+ "id": "fa31d190-4d54-11e7-b5f2-2b7c1895bf32",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "gauge": "rgba(32,146,128,1)",
+ "id": "79158349-1f03-4701-8ecc-c882c2b13ff3",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_max": "1",
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "hide_last_value_indicator": true,
+ "id": "4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32",
+ "index_pattern": "metrics-*",
+ "interval": "auto",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32",
+ "label": "Disk usage",
+ "line_width": 1,
+ "metrics": [
+ {
+ "agg_with": "avg",
+ "field": "system.fsstat.total_size.used",
+ "id": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32",
+ "order": "desc",
+ "order_by": "@timestamp",
+ "size": 1,
+ "type": "top_hit"
+ },
+ {
+ "agg_with": "avg",
+ "field": "system.fsstat.total_size.total",
+ "id": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32",
+ "order": "desc",
+ "order_by": "@timestamp",
+ "size": 1,
+ "type": "top_hit"
+ },
+ {
+ "id": "6304cca0-4d54-11e7-b5f2-2b7c1895bf32",
+ "script": "params.used/params.total ",
+ "type": "math",
+ "variables": [
+ {
+ "field": "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32",
+ "id": "6da10430-4d54-11e7-b5f2-2b7c1895bf32",
+ "name": "used"
+ },
+ {
+ "field": "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32",
+ "id": "73b8c510-4d54-11e7-b5f2-2b7c1895bf32",
+ "name": "total"
+ }
+ ]
+ }
+ ],
+ "point_size": 1,
+ "seperate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "gauge",
+ "use_kibana_indexes": false
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "4a59a56e-e5fd-4ff3-b2f0-8a1c07be572b",
+ "w": 9,
+ "x": 9,
+ "y": 19
+ },
+ "panelIndex": "4a59a56e-e5fd-4ff3-b2f0-8a1c07be572b",
+ "title": "",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.memory"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "bar_color_rules": [
+ {
+ "bar_color": "rgba(32,146,128,1)",
+ "id": "6131bb70-2938-11ed-a1c4-3f04ff5e1036",
+ "operator": "gte",
+ "value": 0
+ },
+ {
+ "bar_color": "rgba(214,191,87,1)",
+ "id": "b048c5a0-2938-11ed-a1c4-3f04ff5e1036",
+ "operator": "gte",
+ "value": 0.7
+ },
+ {
+ "bar_color": "rgba(204,86,66,1)",
+ "id": "b84aa340-2938-11ed-a1c4-3f04ff5e1036",
+ "operator": "gte",
+ "value": 0.85
+ },
+ {
+ "bar_color": "rgba(32,146,128,1)",
+ "id": "c0f1c190-2938-11ed-a1c4-3f04ff5e1036",
+ "operator": "empty",
+ "value": null
+ }
+ ],
+ "drilldown_url": "../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\"{{key}}\"'))",
+ "drop_last_bucket": 1,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "id": "f85dd7f0-6f50-4ca3-b431-a8332b12f516",
+ "index_pattern_ref_name": "metrics_72f0915f-db77-4d67-b92b-ed8cdd97e1aa_0_index_pattern",
+ "interval": "",
+ "isModelInvalid": false,
+ "max_lines_legend": 1,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "percent",
+ "id": "0fa4599f-6d53-4f7e-a508-b10debeae3a7",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "system.memory.actual.used.pct",
+ "id": "20916733-fe1d-4854-8f60-7da167023e8a",
+ "type": "avg"
+ }
+ ],
+ "override_index_pattern": 0,
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "point_size": 1,
+ "separate_axis": 0,
+ "series_drop_last_bucket": 0,
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "host.name",
+ "terms_order_by": "20916733-fe1d-4854-8f60-7da167023e8a",
+ "time_range_mode": "entire_time_range"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "",
+ "time_range_mode": "last_value",
+ "tooltip_mode": "show_all",
+ "truncate_legend": 1,
+ "type": "top_n",
+ "use_kibana_indexes": true
+ },
+ "title": "",
+ "type": "metrics",
+ "uiState": {}
+ },
+ "type": "visualization"
+ },
+ "gridData": {
+ "h": 12,
+ "i": "72f0915f-db77-4d67-b92b-ed8cdd97e1aa",
+ "w": 30,
+ "x": 18,
+ "y": 19
+ },
+ "panelIndex": "72f0915f-db77-4d67-b92b-ed8cdd97e1aa",
+ "title": "Top Hosts by Memory",
+ "type": "visualization",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-13084d12-8f45-4ff7-84ff-1aa82f6e91d4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "6a4289ad-9ff1-40c9-aeff-f102d2251bba",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "13084d12-8f45-4ff7-84ff-1aa82f6e91d4": {
+ "columnOrder": [
+ "3a15aec4-8bda-4361-8807-6f4cf5d2246b",
+ "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc",
+ "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb"
+ ],
+ "columns": {
+ "3a15aec4-8bda-4361-8807-6f4cf5d2246b": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Hosts",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "host.name"
+ },
+ "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "CPU Usage",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "system.cpu.user.norm.pct"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "6a4289ad-9ff1-40c9-aeff-f102d2251bba",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.cpu"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.cpu"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "gridConfig": {
+ "isCellLabelVisible": false,
+ "isXAxisLabelVisible": true,
+ "isXAxisTitleVisible": false,
+ "isYAxisLabelVisible": true,
+ "isYAxisTitleVisible": false,
+ "type": "heatmap_grid"
+ },
+ "layerId": "13084d12-8f45-4ff7-84ff-1aa82f6e91d4",
+ "layerType": "data",
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right",
+ "type": "heatmap_legend"
+ },
+ "palette": {
+ "accessor": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb",
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#d9dada",
+ "stop": 0
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 0.7
+ },
+ {
+ "color": "#cc5642",
+ "stop": 0.85
+ }
+ ],
+ "continuity": "above",
+ "name": "custom",
+ "rangeMax": null,
+ "rangeMin": 0,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 5,
+ "stops": [
+ {
+ "color": "#d9dada",
+ "stop": 0.7
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 0.85
+ },
+ {
+ "color": "#cc5642",
+ "stop": 1.85
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "shape": "heatmap",
+ "valueAccessor": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb",
+ "xAccessor": "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc",
+ "yAccessor": "3a15aec4-8bda-4361-8807-6f4cf5d2246b"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsHeatmap"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": [
+ {
+ "action": {
+ "config": {
+ "useCurrentDateRange": true,
+ "useCurrentFilters": true
+ },
+ "factoryId": "DASHBOARD_TO_DASHBOARD_DRILLDOWN",
+ "name": "Host Overview"
+ },
+ "eventId": "19bf22c3-97f5-4a71-8752-74cd3d5ec6f9",
+ "triggers": [
+ "FILTER_TRIGGER"
+ ]
+ }
+ ]
+ }
+ },
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 15,
+ "i": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d",
+ "w": 48,
+ "x": 0,
+ "y": 31
+ },
+ "panelIndex": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d",
+ "title": "Top Hosts by CPU Usage over time",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-13084d12-8f45-4ff7-84ff-1aa82f6e91d4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "33b2f4d6-9337-4d77-a45b-8debb9604323",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "13084d12-8f45-4ff7-84ff-1aa82f6e91d4": {
+ "columnOrder": [
+ "3a15aec4-8bda-4361-8807-6f4cf5d2246b",
+ "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc",
+ "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb",
+ "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bbX0"
+ ],
+ "columns": {
+ "3a15aec4-8bda-4361-8807-6f4cf5d2246b": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Hosts",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "fallback": true,
+ "type": "alphabetical"
+ },
+ "orderDirection": "asc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "host.name"
+ },
+ "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Memory Usage",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 0
+ }
+ },
+ "formula": "average(system.memory.actual.used.pct)",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bbX0"
+ ],
+ "scale": "ratio"
+ },
+ "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bbX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Memory Usage",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "system.memory.actual.used.pct"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "33b2f4d6-9337-4d77-a45b-8debb9604323",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.memory"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "gridConfig": {
+ "isCellLabelVisible": false,
+ "isXAxisLabelVisible": true,
+ "isXAxisTitleVisible": false,
+ "isYAxisLabelVisible": true,
+ "isYAxisTitleVisible": false,
+ "type": "heatmap_grid"
+ },
+ "layerId": "13084d12-8f45-4ff7-84ff-1aa82f6e91d4",
+ "layerType": "data",
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right",
+ "type": "heatmap_legend"
+ },
+ "palette": {
+ "accessor": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb",
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#d9dada",
+ "stop": 0
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 0.7
+ },
+ {
+ "color": "#cc5642",
+ "stop": 0.85
+ }
+ ],
+ "continuity": "above",
+ "name": "custom",
+ "rangeMax": null,
+ "rangeMin": 0,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 5,
+ "stops": [
+ {
+ "color": "#d9dada",
+ "stop": 0.7
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 0.85
+ },
+ {
+ "color": "#cc5642",
+ "stop": 1.85
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "shape": "heatmap",
+ "valueAccessor": "ac7e5bcf-a361-44c9-ba8c-12eb2d7974bb",
+ "xAccessor": "9f4265d2-4b84-419e-a1b6-58cfcb6f6ffc",
+ "yAccessor": "3a15aec4-8bda-4361-8807-6f4cf5d2246b"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsHeatmap"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": [
+ {
+ "action": {
+ "config": {
+ "useCurrentDateRange": true,
+ "useCurrentFilters": true
+ },
+ "factoryId": "DASHBOARD_TO_DASHBOARD_DRILLDOWN",
+ "name": "Host Overview"
+ },
+ "eventId": "cb4db4a1-91ee-41e3-9f16-4b373cb189ad",
+ "triggers": [
+ "FILTER_TRIGGER"
+ ]
+ }
+ ]
+ }
+ },
+ "type": "lens"
+ },
+ "gridData": {
+ "h": 16,
+ "i": "e6f6cabf-ecec-482f-b7b5-634e323e9a15",
+ "w": 48,
+ "x": 0,
+ "y": 46
+ },
+ "panelIndex": "e6f6cabf-ecec-482f-b7b5-634e323e9a15",
+ "title": "Top Hosts by Memory Usage over time",
+ "type": "lens",
+ "version": "8.6.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Metrics System] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-Metrics-system-overview",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "aa7fddcf-8146-4d85-b3d7-d37a99a5ff32:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "9fc7a050-de1b-495b-8ca7-2a852ed5a28c:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "d85621b3-cf7e-4019-83ae-3a1e06d9933f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "d85621b3-cf7e-4019-83ae-3a1e06d9933f:metrics_d85621b3-cf7e-4019-83ae-3a1e06d9933f_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f95d2a8f-0ec2-4252-b3e8-8771b9165241:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f95d2a8f-0ec2-4252-b3e8-8771b9165241:indexpattern-datasource-layer-6a26e3ad-990f-42a2-82fd-f147b1ede3b0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "4a59a56e-e5fd-4ff3-b2f0-8a1c07be572b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "72f0915f-db77-4d67-b92b-ed8cdd97e1aa:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "72f0915f-db77-4d67-b92b-ed8cdd97e1aa:metrics_72f0915f-db77-4d67-b92b-ed8cdd97e1aa_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d:indexpattern-datasource-layer-13084d12-8f45-4ff7-84ff-1aa82f6e91d4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d:6a4289ad-9ff1-40c9-aeff-f102d2251bba",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8",
+ "name": "e6f8fdab-5f7e-42b1-9093-36c017e0d26d:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:19bf22c3-97f5-4a71-8752-74cd3d5ec6f9:dashboardId",
+ "type": "dashboard"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e6f6cabf-ecec-482f-b7b5-634e323e9a15:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e6f6cabf-ecec-482f-b7b5-634e323e9a15:indexpattern-datasource-layer-13084d12-8f45-4ff7-84ff-1aa82f6e91d4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e6f6cabf-ecec-482f-b7b5-634e323e9a15:33b2f4d6-9337-4d77-a45b-8debb9604323",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8",
+ "name": "e6f6cabf-ecec-482f-b7b5-634e323e9a15:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:cb4db4a1-91ee-41e3-9f16-4b373cb189ad:dashboardId",
+ "type": "dashboard"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-Windows-Dashboard.json b/test/packages/parallel/system/kibana/dashboard/system-Windows-Dashboard.json
new file mode 100644
index 000000000..b9772f6f9
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-Windows-Dashboard.json
@@ -0,0 +1,815 @@
+{
+ "attributes": {
+ "description": "Overview of all Windows Event Logs.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": [
+ "system.application",
+ "system.security",
+ "system.system",
+ "windows.application",
+ "windows.forwarded",
+ "windows.powershell",
+ "windows.powershell_operational",
+ "windows.security",
+ "windows.sysmon_operational",
+ "windows.system",
+ "winlog.winlog"
+ ],
+ "type": "phrases"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "data_stream.dataset": "system.application"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "system.system"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.application"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.forwarded"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.powershell"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.powershell_operational"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.security"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.sysmon_operational"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.system"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "winlog.winlog"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "## **Windows Overview**",
+ "openLinksInNewTab": false
+ },
+ "title": "User Logon Dashboard [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 5,
+ "i": "a631db29-cb48-4bfb-b9c9-77ea2baff486",
+ "w": 12,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "a631db29-cb48-4bfb-b9c9-77ea2baff486",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b8e30995-8308-4085-bebc-b744255d4471",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b8e30995-8308-4085-bebc-b744255d4471": {
+ "columnOrder": [
+ "b76296f1-254e-44be-885c-dab598a5769a"
+ ],
+ "columns": {
+ "b76296f1-254e-44be-885c-dab598a5769a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "b76296f1-254e-44be-885c-dab598a5769a",
+ "layerId": "b8e30995-8308-4085-bebc-b744255d4471",
+ "layerType": "data"
+ }
+ },
+ "title": "Number of Events [Windows Overview]",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 20,
+ "i": "f1073adc-88c7-4213-947d-72d05705e81a",
+ "w": 12,
+ "x": 0,
+ "y": 5
+ },
+ "panelIndex": "f1073adc-88c7-4213-947d-72d05705e81a",
+ "title": "Number of Events [Windows Overview]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Windows Overview** | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)",
+ "openLinksInNewTab": false
+ },
+ "title": "Dashboard links [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 5,
+ "i": "dadfa90b-35df-4cdb-8b7f-80b75ef8cb9b",
+ "w": 36,
+ "x": 12,
+ "y": 0
+ },
+ "panelIndex": "dadfa90b-35df-4cdb-8b7f-80b75ef8cb9b",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5e87aee1-99b0-42aa-8b38-30ad57feda11",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5e87aee1-99b0-42aa-8b38-30ad57feda11": {
+ "columnOrder": [
+ "c3110bfa-477d-4c3d-9483-a63044c42900",
+ "b3737588-4175-4ab0-b9da-23267d72fe70",
+ "b1b1cc91-e400-414c-90b7-912cd62a404a"
+ ],
+ "columns": {
+ "b1b1cc91-e400-414c-90b7-912cd62a404a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "b3737588-4175-4ab0-b9da-23267d72fe70": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Channel",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b1b1cc91-e400-414c-90b7-912cd62a404a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 6
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.channel"
+ },
+ "c3110bfa-477d-4c3d-9483-a63044c42900": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": false,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "curveType": "LINEAR",
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": -90
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b1b1cc91-e400-414c-90b7-912cd62a404a"
+ ],
+ "isHistogram": true,
+ "layerId": "5e87aee1-99b0-42aa-8b38-30ad57feda11",
+ "layerType": "data",
+ "seriesType": "bar_stacked",
+ "simpleView": false,
+ "splitAccessor": "b3737588-4175-4ab0-b9da-23267d72fe70",
+ "xAccessor": "c3110bfa-477d-4c3d-9483-a63044c42900",
+ "xScaleType": "time",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "b1b1cc91-e400-414c-90b7-912cd62a404a"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "showCurrentTimeMarker": false,
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": false,
+ "yLeftExtent": {
+ "enforce": true,
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightScale": "linear",
+ "yTitle": "Count"
+ }
+ },
+ "title": "Number of Events Over Time By Channel [Windows Overview]",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 20,
+ "i": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc",
+ "w": 36,
+ "x": 12,
+ "y": 5
+ },
+ "panelIndex": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc",
+ "title": "Number of Events Over Time By Channel [Windows Overview]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f91444b8-f989-4d50-9791-659f63b410a6",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f91444b8-f989-4d50-9791-659f63b410a6": {
+ "columnOrder": [
+ "d79151d8-0464-460f-985d-7710afd65951",
+ "f823b376-2c3e-4893-befa-3d99b5e4b54d"
+ ],
+ "columns": {
+ "d79151d8-0464-460f-985d-7710afd65951": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "winlog.provider_name: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f823b376-2c3e-4893-befa-3d99b5e4b54d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 7
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.provider_name"
+ },
+ "f823b376-2c3e-4893-befa-3d99b5e4b54d": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "emptySizeRatio": 0.3,
+ "layerId": "f91444b8-f989-4d50-9791-659f63b410a6",
+ "layerType": "data",
+ "legendDisplay": "hide",
+ "legendMaxLines": 1,
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "metrics": [
+ "f823b376-2c3e-4893-befa-3d99b5e4b54d"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "d79151d8-0464-460f-985d-7710afd65951"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "Sources (Provider Names) [Windows Overview]",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 20,
+ "i": "49364a81-aad0-4123-9b41-e29cc0d20211",
+ "w": 16,
+ "x": 0,
+ "y": 25
+ },
+ "panelIndex": "49364a81-aad0-4123-9b41-e29cc0d20211",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-92b81c04-c009-42b2-a123-cbb40bacb21b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "92b81c04-c009-42b2-a123-cbb40bacb21b": {
+ "columnOrder": [
+ "59206405-b932-4821-894f-0e7df0c64c49",
+ "72e6c0f0-dd8b-4557-a0a1-282c3a527bff"
+ ],
+ "columns": {
+ "59206405-b932-4821-894f-0e7df0c64c49": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event IDs",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "72e6c0f0-dd8b-4557-a0a1-282c3a527bff",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_id"
+ },
+ "72e6c0f0-dd8b-4557-a0a1-282c3a527bff": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "72e6c0f0-dd8b-4557-a0a1-282c3a527bff"
+ },
+ {
+ "alignment": "left",
+ "columnId": "59206405-b932-4821-894f-0e7df0c64c49"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "92b81c04-c009-42b2-a123-cbb40bacb21b",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Top Event IDs [Windows Overview]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 20,
+ "i": "24dc70bf-961d-43d5-bbaf-b596523308d8",
+ "w": 16,
+ "x": 16,
+ "y": 25
+ },
+ "panelIndex": "24dc70bf-961d-43d5-bbaf-b596523308d8",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-948e4465-d614-4c5c-845c-e2cc11f14b14",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "948e4465-d614-4c5c-845c-e2cc11f14b14": {
+ "columnOrder": [
+ "a86889ec-ce6a-4b72-90f2-73cdcdf5af59",
+ "3c6aceef-e72a-484a-a9b4-c9ccabad0da8"
+ ],
+ "columns": {
+ "3c6aceef-e72a-484a-a9b4-c9ccabad0da8": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "a86889ec-ce6a-4b72-90f2-73cdcdf5af59": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Log Levels",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3c6aceef-e72a-484a-a9b4-c9ccabad0da8",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "log.level"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "3c6aceef-e72a-484a-a9b4-c9ccabad0da8"
+ },
+ {
+ "alignment": "left",
+ "columnId": "a86889ec-ce6a-4b72-90f2-73cdcdf5af59"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "948e4465-d614-4c5c-845c-e2cc11f14b14",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Event Levels [Windows Overview]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 20,
+ "i": "8f939618-5923-43d4-9b23-57f7d21b4908",
+ "w": 16,
+ "x": 32,
+ "y": 25
+ },
+ "panelIndex": "8f939618-5923-43d4-9b23-57f7d21b4908",
+ "type": "lens",
+ "version": "8.7.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[System] Windows Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-Windows-Dashboard",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f1073adc-88c7-4213-947d-72d05705e81a:indexpattern-datasource-layer-b8e30995-8308-4085-bebc-b744255d4471",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc:indexpattern-datasource-layer-5e87aee1-99b0-42aa-8b38-30ad57feda11",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "49364a81-aad0-4123-9b41-e29cc0d20211:indexpattern-datasource-layer-f91444b8-f989-4d50-9791-659f63b410a6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "24dc70bf-961d-43d5-bbaf-b596523308d8:indexpattern-datasource-layer-92b81c04-c009-42b2-a123-cbb40bacb21b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8f939618-5923-43d4-9b23-57f7d21b4908:indexpattern-datasource-layer-948e4465-d614-4c5c-845c-e2cc11f14b14",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/test/packages/parallel/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json
new file mode 100644
index 000000000..8cd88e122
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json
@@ -0,0 +1,1592 @@
+{
+ "attributes": {
+ "description": "User logon activity dashboard.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": [
+ "system.security",
+ "windows.forwarded",
+ "windows.security"
+ ],
+ "type": "phrases"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.forwarded"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.security"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": false
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0eeae7e3-4be6-439a-8d11-e248d89729c7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6c0aae98-74e3-48f0-bfe4-01114857e9ea",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0eeae7e3-4be6-439a-8d11-e248d89729c7": {
+ "columnOrder": [
+ "6c20c34d-d053-4d81-9dc7-015ef4065cc8",
+ "011f8ab2-fbac-408d-b01a-100820072975",
+ "865f73fe-058f-468a-b4dc-e67be53b290b",
+ "bcb7b474-2877-4665-a58e-58279b2a85a0",
+ "a2383fe5-f58b-45bd-bc84-7750f113121e"
+ ],
+ "columns": {
+ "011f8ab2-fbac-408d-b01a-100820072975": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "user.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a2383fe5-f58b-45bd-bc84-7750f113121e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "6c20c34d-d053-4d81-9dc7-015ef4065cc8": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "Date",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": false,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "865f73fe-058f-468a-b4dc-e67be53b290b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": true,
+ "label": "# Thread",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a2383fe5-f58b-45bd-bc84-7750f113121e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.process.thread.id"
+ },
+ "a2383fe5-f58b-45bd-bc84-7750f113121e": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "bcb7b474-2877-4665-a58e-58279b2a85a0": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "LogonID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a2383fe5-f58b-45bd-bc84-7750f113121e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "6c0aae98-74e3-48f0-bfe4-01114857e9ea",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4672"
+ ],
+ "type": "phrases",
+ "value": "4672"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4672"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "a2383fe5-f58b-45bd-bc84-7750f113121e"
+ },
+ {
+ "alignment": "left",
+ "columnId": "6c20c34d-d053-4d81-9dc7-015ef4065cc8"
+ },
+ {
+ "alignment": "left",
+ "columnId": "011f8ab2-fbac-408d-b01a-100820072975"
+ },
+ {
+ "alignment": "left",
+ "columnId": "865f73fe-058f-468a-b4dc-e67be53b290b"
+ },
+ {
+ "alignment": "left",
+ "columnId": "bcb7b474-2877-4665-a58e-58279b2a85a0"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "0eeae7e3-4be6-439a-8d11-e248d89729c7",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Logged on Administrators [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 28,
+ "i": "1",
+ "w": 18,
+ "x": 0,
+ "y": 34
+ },
+ "panelIndex": "1",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-7a52b543-0c01-4543-9ed6-a89dfbdd8b87",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c92cd2bc-c3a2-40cf-8932-aa33cee31978",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7a52b543-0c01-4543-9ed6-a89dfbdd8b87": {
+ "columnOrder": [
+ "c1fa9bb2-329d-452b-9aea-8019bbedf069",
+ "6d33622e-b154-4aee-91af-31f692da9922"
+ ],
+ "columns": {
+ "6d33622e-b154-4aee-91af-31f692da9922": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Unique count of winlog.logon.id",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "winlog.logon.id"
+ },
+ "c1fa9bb2-329d-452b-9aea-8019bbedf069": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "user.name: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6d33622e-b154-4aee-91af-31f692da9922",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "c92cd2bc-c3a2-40cf-8932-aa33cee31978",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4672"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4672",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "emptySizeRatio": 0.3,
+ "layerId": "7a52b543-0c01-4543-9ed6-a89dfbdd8b87",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 1,
+ "legendPosition": "bottom",
+ "legendSize": "auto",
+ "metrics": [
+ "6d33622e-b154-4aee-91af-31f692da9922"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "c1fa9bb2-329d-452b-9aea-8019bbedf069"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "Administrator Users [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 18,
+ "i": "3",
+ "w": 18,
+ "x": 0,
+ "y": 16
+ },
+ "panelIndex": "3",
+ "title": "Administrator Users [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "## **Logon Information Dashboard**",
+ "openLinksInNewTab": false
+ },
+ "title": "User Logon Dashboard [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 6,
+ "i": "4",
+ "w": 12,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "4",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 46,
+ "i": "10",
+ "w": 23,
+ "x": 0,
+ "y": 62
+ },
+ "panelIndex": "10",
+ "panelRefName": "panel_10",
+ "title": "Logon Details",
+ "type": "search",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | **User Logon Information** | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)",
+ "openLinksInNewTab": false
+ },
+ "title": "Dashboard links [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 6,
+ "i": "34fc9633-8a7c-444d-8d19-06095b55fb43",
+ "w": 36,
+ "x": 12,
+ "y": 0
+ },
+ "panelIndex": "34fc9633-8a7c-444d-8d19-06095b55fb43",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "3dfd861c-68d7-44e0-9755-de21ecd15ba1": {
+ "columnOrder": [
+ "a278011b-444a-4e01-af26-6395f2f54bf1"
+ ],
+ "columns": {
+ "a278011b-444a-4e01-af26-6395f2f54bf1": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4672\")"
+ },
+ "isBucketed": false,
+ "label": "Administrator Logons",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-3dfd861c-68d7-44e0-9755-de21ecd15ba1",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "a278011b-444a-4e01-af26-6395f2f54bf1",
+ "layerId": "3dfd861c-68d7-44e0-9755-de21ecd15ba1",
+ "layerType": "data"
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 10,
+ "i": "f2925b5d-a820-428f-83dc-a547186bcbe6",
+ "w": 9,
+ "x": 0,
+ "y": 6
+ },
+ "panelIndex": "f2925b5d-a820-428f-83dc-a547186bcbe6",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "83d20141-1b90-44a1-ac90-a024a460e2f7": {
+ "columnOrder": [
+ "f6e7fa4a-d41d-41e3-b8cb-112a3d34d3be"
+ ],
+ "columns": {
+ "f6e7fa4a-d41d-41e3-b8cb-112a3d34d3be": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4624\")"
+ },
+ "isBucketed": false,
+ "label": "Logons ",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-83d20141-1b90-44a1-ac90-a024a460e2f7",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "f6e7fa4a-d41d-41e3-b8cb-112a3d34d3be",
+ "layerId": "83d20141-1b90-44a1-ac90-a024a460e2f7",
+ "layerType": "data"
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 10,
+ "i": "b6b45344-9881-4adf-ae69-4b892d976e63",
+ "w": 9,
+ "x": 9,
+ "y": 6
+ },
+ "panelIndex": "b6b45344-9881-4adf-ae69-4b892d976e63",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e6fef655-e731-4662-95d5-1d528e81aa31": {
+ "columnOrder": [
+ "d2c3177a-a480-4200-9cd1-e40f87f81192",
+ "23784821-7b5a-4a62-ba6f-000d1600ac1f",
+ "c496f94a-303f-4786-a5cf-16ffbda12881"
+ ],
+ "columns": {
+ "23784821-7b5a-4a62-ba6f-000d1600ac1f": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Filters",
+ "operationType": "filters",
+ "params": {
+ "filters": [
+ {
+ "input": {
+ "language": "kuery",
+ "query": "event.code: \"4672\""
+ },
+ "label": "Admin logons"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "event.code: \"4624\""
+ },
+ "label": "Logon Events"
+ }
+ ]
+ },
+ "scale": "ordinal"
+ },
+ "c496f94a-303f-4786-a5cf-16ffbda12881": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d2c3177a-a480-4200-9cd1-e40f87f81192": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-e6fef655-e731-4662-95d5-1d528e81aa31",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "c496f94a-303f-4786-a5cf-16ffbda12881"
+ ],
+ "layerId": "e6fef655-e731-4662-95d5-1d528e81aa31",
+ "layerType": "data",
+ "seriesType": "line",
+ "splitAccessor": "23784821-7b5a-4a62-ba6f-000d1600ac1f",
+ "xAccessor": "d2c3177a-a480-4200-9cd1-e40f87f81192",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#68BC00",
+ "forAccessor": "c496f94a-303f-4786-a5cf-16ffbda12881"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Logon Events Timeline",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 13,
+ "i": "e6bde0c0-6365-4c2a-b6d1-232e936d592e",
+ "w": 30,
+ "x": 18,
+ "y": 6
+ },
+ "panelIndex": "e6bde0c0-6365-4c2a-b6d1-232e936d592e",
+ "title": "Logon Events Timeline",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-674fcc58-08d6-4ab5-b6cb-671d86391a1f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0b35b218-725a-492d-8a26-fc07ece4cefa",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "674fcc58-08d6-4ab5-b6cb-671d86391a1f": {
+ "columnOrder": [
+ "d3920133-e719-4f21-96b0-de104644c62d",
+ "c5eeb90d-c93c-45c6-a105-cd6dd7de45c9"
+ ],
+ "columns": {
+ "c5eeb90d-c93c-45c6-a105-cd6dd7de45c9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Unique count of winlog.logon.id",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "winlog.logon.id"
+ },
+ "d3920133-e719-4f21-96b0-de104644c62d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "winlog.logon.type: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c5eeb90d-c93c-45c6-a105-cd6dd7de45c9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.type"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "0b35b218-725a-492d-8a26-fc07ece4cefa",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4624"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4624"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "emptySizeRatio": 0.3,
+ "layerId": "674fcc58-08d6-4ab5-b6cb-671d86391a1f",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 1,
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "metrics": [
+ "c5eeb90d-c93c-45c6-a105-cd6dd7de45c9"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "d3920133-e719-4f21-96b0-de104644c62d"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "Logon Types [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0",
+ "w": 15,
+ "x": 18,
+ "y": 19
+ },
+ "panelIndex": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0",
+ "title": "Logon Types [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-00652829-18f8-4bed-9423-c1b08879fa96",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b48f02eb-a573-4758-a23f-ab02a2379751",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "00652829-18f8-4bed-9423-c1b08879fa96": {
+ "columnOrder": [
+ "028821e7-2e7e-4604-ac9d-25e9d90bbb0d",
+ "0d65d110-92d0-42b0-a150-f5d7c154122c"
+ ],
+ "columns": {
+ "028821e7-2e7e-4604-ac9d-25e9d90bbb0d": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Logon Source IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0d65d110-92d0-42b0-a150-f5d7c154122c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "0d65d110-92d0-42b0-a150-f5d7c154122c": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "b48f02eb-a573-4758-a23f-ab02a2379751",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": [
+ "windows.security",
+ "system.security"
+ ],
+ "type": "phrases",
+ "value": [
+ "windows.security",
+ "system.security"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.security"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0d65d110-92d0-42b0-a150-f5d7c154122c"
+ ],
+ "layerId": "00652829-18f8-4bed-9423-c1b08879fa96",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "028821e7-2e7e-4604-ac9d-25e9d90bbb0d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504",
+ "w": 15,
+ "x": 33,
+ "y": 19
+ },
+ "panelIndex": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504",
+ "title": "Logon Sources [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 28,
+ "i": "454bb008-9720-455e-8ab9-b2f47d25aa4f",
+ "w": 18,
+ "x": 18,
+ "y": 34
+ },
+ "panelIndex": "454bb008-9720-455e-8ab9-b2f47d25aa4f",
+ "panelRefName": "panel_454bb008-9720-455e-8ab9-b2f47d25aa4f",
+ "title": "RDP Reconnections and Desconnections",
+ "type": "search",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4a1aa374-6802-4ad3-aaa8-5178d0944859",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d5b55106-1b94-4e5d-af4a-30edbe70102e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4a1aa374-6802-4ad3-aaa8-5178d0944859": {
+ "columnOrder": [
+ "8bb80378-dfd5-4dbc-bc6c-6a311530b1f0",
+ "71ed13d3-5581-4cb5-a9fd-c2137e961d1e",
+ "c46bc820-0dbe-4560-8250-1c4c414bbfc0",
+ "8602e508-3dc5-4e7e-a87e-8fd9ddf7b1d9",
+ "c8f202eb-e9fe-469f-8a65-72c55a8755f9"
+ ],
+ "columns": {
+ "71ed13d3-5581-4cb5-a9fd-c2137e961d1e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "subjectUserName",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "8602e508-3dc5-4e7e-a87e-8fd9ddf7b1d9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "LogonID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "8bb80378-dfd5-4dbc-bc6c-6a311530b1f0": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "user.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 200
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "c46bc820-0dbe-4560-8250-1c4c414bbfc0": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "source.ip",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "c8f202eb-e9fe-469f-8a65-72c55a8755f9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d5b55106-1b94-4e5d-af4a-30edbe70102e",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4648"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4648"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "c8f202eb-e9fe-469f-8a65-72c55a8755f9"
+ },
+ {
+ "alignment": "left",
+ "columnId": "8bb80378-dfd5-4dbc-bc6c-6a311530b1f0"
+ },
+ {
+ "alignment": "left",
+ "columnId": "71ed13d3-5581-4cb5-a9fd-c2137e961d1e"
+ },
+ {
+ "alignment": "left",
+ "columnId": "c46bc820-0dbe-4560-8250-1c4c414bbfc0"
+ },
+ {
+ "alignment": "left",
+ "columnId": "8602e508-3dc5-4e7e-a87e-8fd9ddf7b1d9"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "4a1aa374-6802-4ad3-aaa8-5178d0944859",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Logon with Explicit Credentials [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 28,
+ "i": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad",
+ "w": 12,
+ "x": 36,
+ "y": 34
+ },
+ "panelIndex": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad",
+ "title": "Logon with Explicit Credentials [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 46,
+ "i": "28115147-8399-4fcd-95ce-ed0a4f4239e3",
+ "w": 25,
+ "x": 23,
+ "y": 62
+ },
+ "panelIndex": "28115147-8399-4fcd-95ce-ed0a4f4239e3",
+ "panelRefName": "panel_28115147-8399-4fcd-95ce-ed0a4f4239e3",
+ "title": "Logout Details",
+ "type": "search",
+ "version": "8.7.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[System Windows Security] User Logons",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-bae11b00-9bfc-11ea-87e4-49f31ec44891",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1:indexpattern-datasource-layer-0eeae7e3-4be6-439a-8d11-e248d89729c7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1:6c0aae98-74e3-48f0-bfe4-01114857e9ea",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3:indexpattern-datasource-layer-7a52b543-0c01-4543-9ed6-a89dfbdd8b87",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3:c92cd2bc-c3a2-40cf-8932-aa33cee31978",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-ce71c9a0-a25e-11e9-a422-d144027429da",
+ "name": "10:panel_10",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0:indexpattern-datasource-layer-674fcc58-08d6-4ab5-b6cb-671d86391a1f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0:0b35b218-725a-492d-8a26-fc07ece4cefa",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504:indexpattern-datasource-layer-00652829-18f8-4bed-9423-c1b08879fa96",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504:b48f02eb-a573-4758-a23f-ab02a2379751",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3",
+ "name": "454bb008-9720-455e-8ab9-b2f47d25aa4f:panel_454bb008-9720-455e-8ab9-b2f47d25aa4f",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad:indexpattern-datasource-layer-4a1aa374-6802-4ad3-aaa8-5178d0944859",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad:d5b55106-1b94-4e5d-af4a-30edbe70102e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3",
+ "name": "28115147-8399-4fcd-95ce-ed0a4f4239e3:panel_28115147-8399-4fcd-95ce-ed0a4f4239e3",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json
new file mode 100644
index 000000000..9146a205b
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json
@@ -0,0 +1,4431 @@
+{
+ "attributes": {
+ "description": "Group management activity.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": [
+ "system.security",
+ "windows.forwarded",
+ "windows.security"
+ ],
+ "type": "phrases"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.forwarded"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.security"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": false
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "# **Group Management Events**\n\n#### This dashboard shows information about Group Management Events collected by the Elastic Agent Windows integrations (System, Windows, Custom Windows Event Logs).\n",
+ "openLinksInNewTab": false
+ },
+ "title": "Group Management Events - Description [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 7,
+ "i": "22",
+ "w": 16,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "22",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-bd7f857d-8824-4cfa-b6a9-85f4efdc2623",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a19c4278-5416-4446-99a1-0c0b841ad56b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bd7f857d-8824-4cfa-b6a9-85f4efdc2623": {
+ "columnOrder": [
+ "7f1d902e-af5f-4b65-a519-9ef6003f7e44",
+ "941899f1-1b0a-4ca2-9fd4-ec751ecd6ca3",
+ "6aa544a5-ecf4-4401-989d-bf738652c121",
+ "2d5bc858-8374-44e4-a40f-0182d750e7c9",
+ "7c3baf0b-0f49-4022-b50a-c7d4f6280003"
+ ],
+ "columns": {
+ "2d5bc858-8374-44e4-a40f-0182d750e7c9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "6aa544a5-ecf4-4401-989d-bf738652c121": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "7c3baf0b-0f49-4022-b50a-c7d4f6280003": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "7f1d902e-af5f-4b65-a519-9ef6003f7e44": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Group",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "group.name"
+ },
+ "941899f1-1b0a-4ca2-9fd4-ec751ecd6ca3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Domain",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "group.domain"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "a19c4278-5416-4446-99a1-0c0b841ad56b",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4731",
+ "4727",
+ "4754",
+ "4744",
+ "4759",
+ "4779",
+ "4790",
+ "4783"
+ ],
+ "type": "phrases",
+ "value": "4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4731"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4727"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4754"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4744"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4759"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4779"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4790"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4783"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "7c3baf0b-0f49-4022-b50a-c7d4f6280003"
+ },
+ {
+ "alignment": "left",
+ "columnId": "7f1d902e-af5f-4b65-a519-9ef6003f7e44"
+ },
+ {
+ "alignment": "left",
+ "columnId": "941899f1-1b0a-4ca2-9fd4-ec751ecd6ca3"
+ },
+ {
+ "alignment": "left",
+ "columnId": "6aa544a5-ecf4-4401-989d-bf738652c121"
+ },
+ {
+ "alignment": "left",
+ "columnId": "2d5bc858-8374-44e4-a40f-0182d750e7c9"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "bd7f857d-8824-4cfa-b6a9-85f4efdc2623",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 5
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Groups Created - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 13,
+ "i": "36",
+ "w": 9,
+ "x": 0,
+ "y": 55
+ },
+ "panelIndex": "36",
+ "title": "Groups Created - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b600888f-707d-4333-b65c-64ccd1512086",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c1e670c6-0a4d-4954-82f9-51dc32e07139",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b600888f-707d-4333-b65c-64ccd1512086": {
+ "columnOrder": [
+ "c56afdf2-4288-4388-804c-a8d44425a564",
+ "bb1a6287-e2d3-4136-9e1c-773f5b041afb",
+ "054a5d8e-b121-4790-bd89-f497705b33e4",
+ "8e115107-32e4-4af6-b61c-2f8d5442286d",
+ "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7"
+ ],
+ "columns": {
+ "054a5d8e-b121-4790-bd89-f497705b33e4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "8e115107-32e4-4af6-b61c-2f8d5442286d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "bb1a6287-e2d3-4136-9e1c-773f5b041afb": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Domain",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "group.domain"
+ },
+ "c56afdf2-4288-4388-804c-a8d44425a564": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Group",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "group.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "c1e670c6-0a4d-4954-82f9-51dc32e07139",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4735",
+ "4737",
+ "4755",
+ "4750",
+ "4760",
+ "4745",
+ "4791",
+ "4784",
+ "4764"
+ ],
+ "type": "phrases",
+ "value": "4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4735"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4737"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4755"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4750"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4760"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4745"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4791"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4784"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4764"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "0ae4bc48-8f3e-4bbb-8a14-a47cfa5983f7"
+ },
+ {
+ "alignment": "left",
+ "columnId": "c56afdf2-4288-4388-804c-a8d44425a564"
+ },
+ {
+ "alignment": "left",
+ "columnId": "bb1a6287-e2d3-4136-9e1c-773f5b041afb"
+ },
+ {
+ "alignment": "left",
+ "columnId": "054a5d8e-b121-4790-bd89-f497705b33e4"
+ },
+ {
+ "alignment": "left",
+ "columnId": "8e115107-32e4-4af6-b61c-2f8d5442286d"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "b600888f-707d-4333-b65c-64ccd1512086",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 5
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Group Changes - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 13,
+ "i": "37",
+ "w": 9,
+ "x": 9,
+ "y": 55
+ },
+ "panelIndex": "37",
+ "title": "Group Changes - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4f4fa0d5-5ea9-45ba-9214-d1fe2310876f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3d460e27-249d-4c99-831f-193ccd17f8f4",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4f4fa0d5-5ea9-45ba-9214-d1fe2310876f": {
+ "columnOrder": [
+ "f91ab9f5-c2a5-4590-875c-fabf6d047e37",
+ "1afb18ce-62b9-4585-9dea-0e4310a67c50",
+ "6d13ad70-08bd-44d9-963f-1f8872cc7d79",
+ "29662a4b-5326-4531-8996-2b95afb69ed3",
+ "9b24429a-7651-4972-aed9-83971847531b"
+ ],
+ "columns": {
+ "1afb18ce-62b9-4585-9dea-0e4310a67c50": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Domain",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b24429a-7651-4972-aed9-83971847531b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "group.domain"
+ },
+ "29662a4b-5326-4531-8996-2b95afb69ed3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performer LogonID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b24429a-7651-4972-aed9-83971847531b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "6d13ad70-08bd-44d9-963f-1f8872cc7d79": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b24429a-7651-4972-aed9-83971847531b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "9b24429a-7651-4972-aed9-83971847531b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f91ab9f5-c2a5-4590-875c-fabf6d047e37": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Group",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b24429a-7651-4972-aed9-83971847531b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "group.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "3d460e27-249d-4c99-831f-193ccd17f8f4",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4734",
+ "4730",
+ "4758",
+ "4748",
+ "4763",
+ "4753",
+ "4792",
+ "4789"
+ ],
+ "type": "phrases",
+ "value": "4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4734"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4730"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4758"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4748"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4763"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4753"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4792"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4789"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "9b24429a-7651-4972-aed9-83971847531b"
+ },
+ {
+ "alignment": "left",
+ "columnId": "f91ab9f5-c2a5-4590-875c-fabf6d047e37"
+ },
+ {
+ "alignment": "left",
+ "columnId": "1afb18ce-62b9-4585-9dea-0e4310a67c50"
+ },
+ {
+ "alignment": "left",
+ "columnId": "6d13ad70-08bd-44d9-963f-1f8872cc7d79"
+ },
+ {
+ "alignment": "left",
+ "columnId": "29662a4b-5326-4531-8996-2b95afb69ed3"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "4f4fa0d5-5ea9-45ba-9214-d1fe2310876f",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 5
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Groups Deleted - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 13,
+ "i": "38",
+ "w": 9,
+ "x": 18,
+ "y": 55
+ },
+ "panelIndex": "38",
+ "title": "Groups Deleted - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ec211cdc-aeae-4682-9cc8-deec18aee3d1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dcdfe597-2586-47d7-a08a-d204f5caebbb",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ec211cdc-aeae-4682-9cc8-deec18aee3d1": {
+ "columnOrder": [
+ "2cef85a9-ce4b-4803-a11a-fb8d474d54b5",
+ "a9cfc671-e843-46b8-a08b-173da51037a9",
+ "e42f2fdf-510a-4da6-9839-a5678ca093e4",
+ "4938a319-1510-4931-8d5f-fd64137d7bda",
+ "305d7edd-b815-4333-b542-dd82ceee2ea7",
+ "f6418ff7-7f4c-4b47-ada1-effc9abc019e"
+ ],
+ "columns": {
+ "2cef85a9-ce4b-4803-a11a-fb8d474d54b5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.MemberName"
+ },
+ "305d7edd-b815-4333-b542-dd82ceee2ea7": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by Logon ID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "4938a319-1510-4931-8d5f-fd64137d7bda": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "a9cfc671-e843-46b8-a08b-173da51037a9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Group",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "group.name"
+ },
+ "e42f2fdf-510a-4da6-9839-a5678ca093e4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Domain",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "group.domain"
+ },
+ "f6418ff7-7f4c-4b47-ada1-effc9abc019e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "dcdfe597-2586-47d7-a08a-d204f5caebbb",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4732",
+ "4728",
+ "4756",
+ "4751",
+ "4761",
+ "4746",
+ "4785",
+ "4787"
+ ],
+ "type": "phrases",
+ "value": "4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4732"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4728"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4756"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4751"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4761"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4746"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4785"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4787"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "f6418ff7-7f4c-4b47-ada1-effc9abc019e"
+ },
+ {
+ "alignment": "left",
+ "columnId": "2cef85a9-ce4b-4803-a11a-fb8d474d54b5"
+ },
+ {
+ "alignment": "left",
+ "columnId": "a9cfc671-e843-46b8-a08b-173da51037a9"
+ },
+ {
+ "alignment": "left",
+ "columnId": "e42f2fdf-510a-4da6-9839-a5678ca093e4"
+ },
+ {
+ "alignment": "left",
+ "columnId": "4938a319-1510-4931-8d5f-fd64137d7bda"
+ },
+ {
+ "alignment": "left",
+ "columnId": "305d7edd-b815-4333-b542-dd82ceee2ea7"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "ec211cdc-aeae-4682-9cc8-deec18aee3d1",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 5
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Added - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "39",
+ "w": 16,
+ "x": 0,
+ "y": 75
+ },
+ "panelIndex": "39",
+ "title": "Users Added - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ac94b4e8-791d-42c3-923b-d871496199d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ba9b962b-bc66-4c05-89c7-bbcfea69b19d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ac94b4e8-791d-42c3-923b-d871496199d8": {
+ "columnOrder": [
+ "5567fdee-554a-47ce-857f-67d88d8d0525",
+ "0bbbe141-f2c1-4d1c-8c97-cdccce1645c4",
+ "742898ba-a8f4-4374-8f8e-89e8c8e1d895",
+ "48ce407b-3a27-45b2-81a2-c2a7777d5b6b",
+ "916dfdf0-0aac-4720-ae54-fae544299b7d",
+ "8270757b-487a-4232-a473-2392e043ece1"
+ ],
+ "columns": {
+ "0bbbe141-f2c1-4d1c-8c97-cdccce1645c4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Group",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8270757b-487a-4232-a473-2392e043ece1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "group.name"
+ },
+ "48ce407b-3a27-45b2-81a2-c2a7777d5b6b": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8270757b-487a-4232-a473-2392e043ece1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "5567fdee-554a-47ce-857f-67d88d8d0525": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8270757b-487a-4232-a473-2392e043ece1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.MemberName"
+ },
+ "742898ba-a8f4-4374-8f8e-89e8c8e1d895": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Domain",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8270757b-487a-4232-a473-2392e043ece1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "group.domain"
+ },
+ "8270757b-487a-4232-a473-2392e043ece1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "916dfdf0-0aac-4720-ae54-fae544299b7d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Performed by Logon ID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8270757b-487a-4232-a473-2392e043ece1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "ba9b962b-bc66-4c05-89c7-bbcfea69b19d",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4733",
+ "4729",
+ "4757",
+ "4786",
+ "4788",
+ "4752",
+ "4762",
+ "4747"
+ ],
+ "type": "phrases",
+ "value": "4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4733"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4729"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4757"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4786"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4788"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4752"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4762"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4747"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "8270757b-487a-4232-a473-2392e043ece1"
+ },
+ {
+ "alignment": "left",
+ "columnId": "5567fdee-554a-47ce-857f-67d88d8d0525"
+ },
+ {
+ "alignment": "left",
+ "columnId": "0bbbe141-f2c1-4d1c-8c97-cdccce1645c4"
+ },
+ {
+ "alignment": "left",
+ "columnId": "742898ba-a8f4-4374-8f8e-89e8c8e1d895"
+ },
+ {
+ "alignment": "left",
+ "columnId": "48ce407b-3a27-45b2-81a2-c2a7777d5b6b"
+ },
+ {
+ "alignment": "left",
+ "columnId": "916dfdf0-0aac-4720-ae54-fae544299b7d"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "ac94b4e8-791d-42c3-923b-d871496199d8",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 5
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Users Removed from Group - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "40",
+ "w": 17,
+ "x": 16,
+ "y": 75
+ },
+ "panelIndex": "40",
+ "title": "Users Removed from Group - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-1b283aa0-01f0-4d69-9338-1d312aa7409a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5fd25934-f4ed-4561-8e83-22d8642198fe",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "1b283aa0-01f0-4d69-9338-1d312aa7409a": {
+ "columnOrder": [
+ "bf39160d-a5ee-43ec-8231-c228b273d0db",
+ "281b8735-ca43-45ad-b6db-bd7bcfc36ba3",
+ "aeac3302-fabf-4396-973b-e3129d83f10b",
+ "7e13870d-43ba-4c46-a8d2-fafd4d61636e",
+ "32cabe3d-6f07-4dcd-9f86-29a535239e11"
+ ],
+ "columns": {
+ "281b8735-ca43-45ad-b6db-bd7bcfc36ba3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Domain",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "group.domain"
+ },
+ "32cabe3d-6f07-4dcd-9f86-29a535239e11": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "7e13870d-43ba-4c46-a8d2-fafd4d61636e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Creator LogonID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.id"
+ },
+ "aeac3302-fabf-4396-973b-e3129d83f10b": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Creator",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ },
+ "bf39160d-a5ee-43ec-8231-c228b273d0db": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Group",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "group.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "5fd25934-f4ed-4561-8e83-22d8642198fe",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4799"
+ ],
+ "type": "phrases",
+ "value": "4799"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4799"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "32cabe3d-6f07-4dcd-9f86-29a535239e11"
+ },
+ {
+ "alignment": "left",
+ "columnId": "bf39160d-a5ee-43ec-8231-c228b273d0db"
+ },
+ {
+ "alignment": "left",
+ "columnId": "281b8735-ca43-45ad-b6db-bd7bcfc36ba3"
+ },
+ {
+ "alignment": "left",
+ "columnId": "aeac3302-fabf-4396-973b-e3129d83f10b"
+ },
+ {
+ "alignment": "left",
+ "columnId": "7e13870d-43ba-4c46-a8d2-fafd4d61636e"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "1b283aa0-01f0-4d69-9338-1d312aa7409a",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 5
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Group Enumeration - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "42",
+ "w": 15,
+ "x": 33,
+ "y": 75
+ },
+ "panelIndex": "42",
+ "title": "Group Enumeration - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 20,
+ "i": "43",
+ "w": 21,
+ "x": 27,
+ "y": 48
+ },
+ "panelIndex": "43",
+ "panelRefName": "panel_43",
+ "title": "Logon Details [Windows System Security]",
+ "type": "search",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 22,
+ "i": "45",
+ "w": 48,
+ "x": 0,
+ "y": 89
+ },
+ "panelIndex": "45",
+ "panelRefName": "panel_45",
+ "title": "Group Management Operations Details [Windows System Security]",
+ "type": "search",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | **Group Management Events**",
+ "openLinksInNewTab": false
+ },
+ "title": "Dashboard links [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 7,
+ "i": "663e0493-2070-407b-9d00-079915cce7e7",
+ "w": 32,
+ "x": 16,
+ "y": 0
+ },
+ "panelIndex": "663e0493-2070-407b-9d00-079915cce7e7",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d498ce52-e422-4548-869e-12b54ca2a5de",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "042819ba-9576-492a-9bad-c3febb27fd0d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d498ce52-e422-4548-869e-12b54ca2a5de": {
+ "columnOrder": [
+ "f2f50bd0-9beb-4ed3-a1d1-39970db0d880",
+ "a30cd9e9-b0dc-4aa8-871c-57b0e2bce3f5"
+ ],
+ "columns": {
+ "a30cd9e9-b0dc-4aa8-871c-57b0e2bce3f5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f2f50bd0-9beb-4ed3-a1d1-39970db0d880": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a30cd9e9-b0dc-4aa8-871c-57b0e2bce3f5",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "042819ba-9576-492a-9bad-c3febb27fd0d",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4731",
+ "4732",
+ "4733",
+ "4734",
+ "4735",
+ "4737",
+ "4764",
+ "4727",
+ "4728",
+ "4729",
+ "4730",
+ "4754",
+ "4755",
+ "4756",
+ "4757",
+ "4758",
+ "4799",
+ "4749",
+ "4750",
+ "4751",
+ "4752",
+ "4753",
+ "4759",
+ "4760",
+ "4761",
+ "4762",
+ "4763",
+ "4744",
+ "4745",
+ "4746",
+ "4748"
+ ],
+ "type": "phrases",
+ "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4731"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4732"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4733"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4734"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4735"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4737"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4764"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4727"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4728"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4729"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4730"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4754"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4755"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4756"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4757"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4758"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4799"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4749"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4750"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4751"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4752"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4753"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4759"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4760"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4761"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4762"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4763"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4744"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4745"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4746"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4748"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "emptySizeRatio": 0.3,
+ "layerId": "d498ce52-e422-4548-869e-12b54ca2a5de",
+ "layerType": "data",
+ "legendDisplay": "hide",
+ "legendMaxLines": 1,
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "metrics": [
+ "a30cd9e9-b0dc-4aa8-871c-57b0e2bce3f5"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "f2f50bd0-9beb-4ed3-a1d1-39970db0d880"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "Group Management Events - Event Actions [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 20,
+ "i": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290",
+ "w": 20,
+ "x": 0,
+ "y": 7
+ },
+ "panelIndex": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290",
+ "title": "Group Management Events - Event Actions [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b1157a10-8ee7-4ce0-8fa3-3088007e12a6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "25cdfdc0-53d7-4cf7-b982-a59694f34875",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b1157a10-8ee7-4ce0-8fa3-3088007e12a6": {
+ "columnOrder": [
+ "db99025d-1f2b-4d05-8d3d-ad15bbcf252d",
+ "9caf1c5b-9f00-47e7-b27e-a2b631145b7f",
+ "a5c04a37-1867-4051-8eb5-848d6499a8eb"
+ ],
+ "columns": {
+ "9caf1c5b-9f00-47e7-b27e-a2b631145b7f": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.code",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a5c04a37-1867-4051-8eb5-848d6499a8eb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "event.code"
+ },
+ "a5c04a37-1867-4051-8eb5-848d6499a8eb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "db99025d-1f2b-4d05-8d3d-ad15bbcf252d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a5c04a37-1867-4051-8eb5-848d6499a8eb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 50
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "25cdfdc0-53d7-4cf7-b982-a59694f34875",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4731",
+ "4732",
+ "4733",
+ "4734",
+ "4735",
+ "4737",
+ "4764",
+ "4727",
+ "4728",
+ "4729",
+ "4730",
+ "4754",
+ "4755",
+ "4756",
+ "4757",
+ "4758",
+ "4799",
+ "4749",
+ "4750",
+ "4751",
+ "4752",
+ "4753",
+ "4759",
+ "4760",
+ "4761",
+ "4762",
+ "4763",
+ "4744",
+ "4745",
+ "4746",
+ "4748"
+ ],
+ "type": "phrases",
+ "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4731"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4732"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4733"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4734"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4735"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4737"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4764"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4727"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4728"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4729"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4730"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4754"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4755"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4756"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4757"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4758"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4799"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4749"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4750"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4751"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4752"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4753"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4759"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4760"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4761"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4762"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4763"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4744"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4745"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4746"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4748"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "a5c04a37-1867-4051-8eb5-848d6499a8eb"
+ },
+ {
+ "alignment": "left",
+ "columnId": "db99025d-1f2b-4d05-8d3d-ad15bbcf252d"
+ },
+ {
+ "alignment": "left",
+ "columnId": "9caf1c5b-9f00-47e7-b27e-a2b631145b7f"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "b1157a10-8ee7-4ce0-8fa3-3088007e12a6",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Group Management Events - Event Actions - Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 20,
+ "i": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b",
+ "w": 12,
+ "x": 20,
+ "y": 7
+ },
+ "panelIndex": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b",
+ "title": "Group Management Events - Event Actions - Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-066e9369-184c-4225-b244-7e8d029e52c1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "066e9369-184c-4225-b244-7e8d029e52c1": {
+ "columnOrder": [
+ "08302e5a-7a5e-4352-9ff3-2ce5b44cbed8",
+ "603e57fe-6201-45e9-940c-860540f0c65d"
+ ],
+ "columns": {
+ "08302e5a-7a5e-4352-9ff3-2ce5b44cbed8": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target Groups",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "603e57fe-6201-45e9-940c-860540f0c65d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "group.name"
+ },
+ "603e57fe-6201-45e9-940c-860540f0c65d": {
+ "customLabel": false,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "603e57fe-6201-45e9-940c-860540f0c65d"
+ ],
+ "layerId": "066e9369-184c-4225-b244-7e8d029e52c1",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "08302e5a-7a5e-4352-9ff3-2ce5b44cbed8"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 20,
+ "i": "3016efc8-187d-4630-892d-af2160a584d7",
+ "w": 16,
+ "x": 32,
+ "y": 7
+ },
+ "panelIndex": "3016efc8-187d-4630-892d-af2160a584d7",
+ "title": "Group Management Events - Target Groups [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d80f3769-ceeb-46ac-888d-8177bbbfa43c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5e7b0749-4021-4e07-a255-71965ec7f574",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d80f3769-ceeb-46ac-888d-8177bbbfa43c": {
+ "columnOrder": [
+ "be908dc7-f6ac-4c18-aa16-9f95629da6f4",
+ "24b9ffd8-1bb0-4c0b-a1d4-f2f8ef4083c0",
+ "3189a302-09f6-44a0-9a0a-049c578c4b18"
+ ],
+ "columns": {
+ "24b9ffd8-1bb0-4c0b-a1d4-f2f8ef4083c0": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Actions",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3189a302-09f6-44a0-9a0a-049c578c4b18",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "3189a302-09f6-44a0-9a0a-049c578c4b18": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "be908dc7-f6ac-4c18-aa16-9f95629da6f4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target Groups",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3189a302-09f6-44a0-9a0a-049c578c4b18",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "group.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "5e7b0749-4021-4e07-a255-71965ec7f574",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4731",
+ "4732",
+ "4733",
+ "4734",
+ "4735",
+ "4737",
+ "4764",
+ "4727",
+ "4728",
+ "4729",
+ "4730",
+ "4754",
+ "4755",
+ "4756",
+ "4757",
+ "4758",
+ "4799",
+ "4749",
+ "4750",
+ "4751",
+ "4752",
+ "4753",
+ "4759",
+ "4760",
+ "4761",
+ "4762",
+ "4763",
+ "4744",
+ "4745",
+ "4746",
+ "4748"
+ ],
+ "type": "phrases",
+ "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4731"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4732"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4733"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4734"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4735"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4737"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4764"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4727"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4728"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4729"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4730"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4754"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4755"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4756"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4757"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4758"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4799"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4749"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4750"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4751"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4752"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4753"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4759"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4760"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4761"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4762"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4763"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4744"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4745"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4746"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4748"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "visualization": {
+ "gridConfig": {
+ "isCellLabelVisible": true,
+ "isXAxisLabelVisible": true,
+ "isXAxisTitleVisible": true,
+ "isYAxisLabelVisible": true,
+ "isYAxisTitleVisible": true,
+ "type": "heatmap_grid"
+ },
+ "layerId": "d80f3769-ceeb-46ac-888d-8177bbbfa43c",
+ "layerType": "data",
+ "legend": {
+ "position": "right",
+ "type": "heatmap_legend"
+ },
+ "palette": {
+ "accessor": "3189a302-09f6-44a0-9a0a-049c578c4b18",
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#F7FBFF",
+ "stop": 0
+ },
+ {
+ "color": "#C3DBEE",
+ "stop": 25
+ },
+ {
+ "color": "#6DAED5",
+ "stop": 50
+ },
+ {
+ "color": "#2271B3",
+ "stop": 75
+ }
+ ],
+ "continuity": "none",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": 100,
+ "rangeMin": 0,
+ "rangeType": "percent",
+ "reverse": false,
+ "stops": [
+ {
+ "color": "#F7FBFF",
+ "stop": 25
+ },
+ {
+ "color": "#C3DBEE",
+ "stop": 50
+ },
+ {
+ "color": "#6DAED5",
+ "stop": 75
+ },
+ {
+ "color": "#2271B3",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "shape": "heatmap",
+ "valueAccessor": "3189a302-09f6-44a0-9a0a-049c578c4b18",
+ "xAccessor": "be908dc7-f6ac-4c18-aa16-9f95629da6f4",
+ "yAccessor": "24b9ffd8-1bb0-4c0b-a1d4-f2f8ef4083c0"
+ }
+ },
+ "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsHeatmap"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 21,
+ "i": "33cef054-615a-49cb-bb2e-eb55fab96ae5",
+ "w": 27,
+ "x": 0,
+ "y": 27
+ },
+ "panelIndex": "33cef054-615a-49cb-bb2e-eb55fab96ae5",
+ "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f3ae7a76-3702-4e40-aa81-849598fa2b3c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b7ec06e9-b2f3-4ec6-813b-e8cc45150c28",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f3ae7a76-3702-4e40-aa81-849598fa2b3c": {
+ "columnOrder": [
+ "04168b99-2dd3-40c8-b444-bc949803664e",
+ "f7b7059a-8e4d-4538-b28f-35d597944976",
+ "27e21c84-c884-4a36-8e48-88d42cdc286d"
+ ],
+ "columns": {
+ "04168b99-2dd3-40c8-b444-bc949803664e": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": false,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "27e21c84-c884-4a36-8e48-88d42cdc286d": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f7b7059a-8e4d-4538-b28f-35d597944976": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "27e21c84-c884-4a36-8e48-88d42cdc286d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 25
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "b7ec06e9-b2f3-4ec6-813b-e8cc45150c28",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4731",
+ "4732",
+ "4733",
+ "4734",
+ "4735",
+ "4737",
+ "4764",
+ "4727",
+ "4728",
+ "4729",
+ "4730",
+ "4754",
+ "4755",
+ "4756",
+ "4757",
+ "4758",
+ "4799",
+ "4749",
+ "4750",
+ "4751",
+ "4752",
+ "4753",
+ "4759",
+ "4760",
+ "4761",
+ "4762",
+ "4763",
+ "4744",
+ "4745",
+ "4746",
+ "4748"
+ ],
+ "type": "phrases",
+ "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4731"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4732"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4733"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4734"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4735"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4737"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4764"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4727"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4728"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4729"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4730"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4754"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4755"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4756"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4757"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4758"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4799"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4749"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4750"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4751"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4752"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4753"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4759"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4760"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4761"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4762"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4763"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4744"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4745"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4746"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4748"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "curveType": "LINEAR",
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": false
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": -90
+ },
+ "layers": [
+ {
+ "accessors": [
+ "27e21c84-c884-4a36-8e48-88d42cdc286d"
+ ],
+ "isHistogram": true,
+ "layerId": "f3ae7a76-3702-4e40-aa81-849598fa2b3c",
+ "layerType": "data",
+ "seriesType": "bar_stacked",
+ "simpleView": false,
+ "splitAccessor": "f7b7059a-8e4d-4538-b28f-35d597944976",
+ "xAccessor": "04168b99-2dd3-40c8-b444-bc949803664e",
+ "xScaleType": "time",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "27e21c84-c884-4a36-8e48-88d42cdc286d"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "showCurrentTimeMarker": false,
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": false,
+ "yLeftExtent": {
+ "enforce": true,
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightScale": "linear",
+ "yTitle": "Count"
+ }
+ },
+ "title": "Group Management Action Distribution over Time [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 21,
+ "i": "e0d495aa-f897-403f-815b-6116fae330b7",
+ "w": 21,
+ "x": 27,
+ "y": 27
+ },
+ "panelIndex": "e0d495aa-f897-403f-815b-6116fae330b7",
+ "title": "Group Management Action Distribution over Time [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "acb39e04-812e-47cc-b982-fabce6e6ec94": {
+ "columnOrder": [
+ "628ee1fd-9f6f-4c72-b373-49fccf7806ba"
+ ],
+ "columns": {
+ "628ee1fd-9f6f-4c72-b373-49fccf7806ba": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code:4731 OR event.code:4727 OR event.code:\"4754\" OR event.code:\"4749\" OR event.code:\"4759\" OR event.code:\"4744\" OR event.code:\"4783\" OR event.code:\"4790\""
+ },
+ "isBucketed": false,
+ "label": "Groups Created",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-acb39e04-812e-47cc-b982-fabce6e6ec94",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "628ee1fd-9f6f-4c72-b373-49fccf7806ba",
+ "colorMode": "Background",
+ "layerId": "acb39e04-812e-47cc-b982-fabce6e6ec94",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#cc5642",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#cc5642",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "e861343c-a5c9-4a8f-aacf-175a2d697587",
+ "w": 9,
+ "x": 0,
+ "y": 48
+ },
+ "panelIndex": "e861343c-a5c9-4a8f-aacf-175a2d697587",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "87aea4f8-5513-4348-b6e3-3f15ef52448f": {
+ "columnOrder": [
+ "442cce25-7692-4749-9adb-c342d5fcdecd"
+ ],
+ "columns": {
+ "442cce25-7692-4749-9adb-c342d5fcdecd": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code:4735 OR event.code:4737 OR event.code:\"4755\" OR event.code:\"4764\" OR event.code:\"4750\" OR event.code:\"4760\" OR event.code:\"4745\" OR event.code:\"4784\" OR event.code:\"4791\""
+ },
+ "isBucketed": false,
+ "label": "Groups Changed",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-87aea4f8-5513-4348-b6e3-3f15ef52448f",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "442cce25-7692-4749-9adb-c342d5fcdecd",
+ "colorMode": "Background",
+ "layerId": "87aea4f8-5513-4348-b6e3-3f15ef52448f",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 104
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "36142fad-01b3-43eb-a7c5-1b71fa6aa3bc",
+ "w": 9,
+ "x": 9,
+ "y": 48
+ },
+ "panelIndex": "36142fad-01b3-43eb-a7c5-1b71fa6aa3bc",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "52b8f6c3-23ba-42d7-94b3-b28380016e21": {
+ "columnOrder": [
+ "e9922ed6-8940-4348-975a-39c8a936a46c"
+ ],
+ "columns": {
+ "e9922ed6-8940-4348-975a-39c8a936a46c": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792"
+ },
+ "isBucketed": false,
+ "label": "Groups Deleted",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-52b8f6c3-23ba-42d7-94b3-b28380016e21",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "e9922ed6-8940-4348-975a-39c8a936a46c",
+ "colorMode": "Background",
+ "layerId": "52b8f6c3-23ba-42d7-94b3-b28380016e21",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#DA8B45",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#DA8B45",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "b03662fb-926d-49e0-b543-18ae6f526395",
+ "w": 9,
+ "x": 18,
+ "y": 48
+ },
+ "panelIndex": "b03662fb-926d-49e0-b543-18ae6f526395",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "914f2ede-b9f6-4cb5-8b54-f4bcd6be6466": {
+ "columnOrder": [
+ "f8c7d2ef-cd6e-4aa7-a912-7bebc89579f4"
+ ],
+ "columns": {
+ "f8c7d2ef-cd6e-4aa7-a912-7bebc89579f4": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code:4731 OR event.code:4727 OR event.code:\"4754\" OR event.code:\"4749\" OR event.code:\"4759\" OR event.code:\"4744\" OR event.code:\"4783\" OR event.code:\"4790\""
+ },
+ "isBucketed": false,
+ "label": "Users Added to Group",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-914f2ede-b9f6-4cb5-8b54-f4bcd6be6466",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "f8c7d2ef-cd6e-4aa7-a912-7bebc89579f4",
+ "colorMode": "Background",
+ "layerId": "914f2ede-b9f6-4cb5-8b54-f4bcd6be6466",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#AA6556",
+ "stop": 0
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 0
+ },
+ {
+ "color": "#AA6556",
+ "stop": 1
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "744ba653-cbed-4af4-8114-ebe20b7ce075",
+ "w": 16,
+ "x": 0,
+ "y": 68
+ },
+ "panelIndex": "744ba653-cbed-4af4-8114-ebe20b7ce075",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b646c7ff-6c54-479c-af9a-882661bac81d": {
+ "columnOrder": [
+ "2ecb3e68-af02-4281-9a6d-f4ca2a460626"
+ ],
+ "columns": {
+ "2ecb3e68-af02-4281-9a6d-f4ca2a460626": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747"
+ },
+ "isBucketed": false,
+ "label": "Users Removed from Group",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-b646c7ff-6c54-479c-af9a-882661bac81d",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "2ecb3e68-af02-4281-9a6d-f4ca2a460626",
+ "colorMode": "Background",
+ "layerId": "b646c7ff-6c54-479c-af9a-882661bac81d",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#DA8B45",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#DA8B45",
+ "stop": 2
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "81b505b6-9694-40ed-8800-dfc5f41af3c8",
+ "w": 17,
+ "x": 16,
+ "y": 68
+ },
+ "panelIndex": "81b505b6-9694-40ed-8800-dfc5f41af3c8",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "92834d49-5d90-4296-a0e8-331ac3426c63": {
+ "columnOrder": [
+ "e4ff5d2c-bdd4-4c47-ada1-129834297614"
+ ],
+ "columns": {
+ "e4ff5d2c-bdd4-4c47-ada1-129834297614": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code:4799"
+ },
+ "isBucketed": false,
+ "label": "Group Membership Enumeration",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-92834d49-5d90-4296-a0e8-331ac3426c63",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "e4ff5d2c-bdd4-4c47-ada1-129834297614",
+ "colorMode": "Background",
+ "layerId": "92834d49-5d90-4296-a0e8-331ac3426c63",
+ "layerType": "data",
+ "palette": {
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#D0D0D0",
+ "stop": null
+ },
+ {
+ "color": "#808080",
+ "stop": 1
+ }
+ ],
+ "continuity": "all",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": null,
+ "rangeType": "number",
+ "reverse": false,
+ "steps": 3,
+ "stops": [
+ {
+ "color": "#D0D0D0",
+ "stop": 1
+ },
+ {
+ "color": "#808080",
+ "stop": 71658
+ }
+ ]
+ },
+ "type": "palette"
+ }
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 7,
+ "i": "2c3d475b-54d9-472a-b97a-03a37d7c944b",
+ "w": 15,
+ "x": 33,
+ "y": 68
+ },
+ "panelIndex": "2c3d475b-54d9-472a-b97a-03a37d7c944b",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[System Windows Security] Group Management Events",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-bb858830-f412-11e9-8405-516218e3d268",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "36:indexpattern-datasource-layer-bd7f857d-8824-4cfa-b6a9-85f4efdc2623",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "36:a19c4278-5416-4446-99a1-0c0b841ad56b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "37:indexpattern-datasource-layer-b600888f-707d-4333-b65c-64ccd1512086",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "37:c1e670c6-0a4d-4954-82f9-51dc32e07139",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "38:indexpattern-datasource-layer-4f4fa0d5-5ea9-45ba-9214-d1fe2310876f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "38:3d460e27-249d-4c99-831f-193ccd17f8f4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "39:indexpattern-datasource-layer-ec211cdc-aeae-4682-9cc8-deec18aee3d1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "39:dcdfe597-2586-47d7-a08a-d204f5caebbb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "40:indexpattern-datasource-layer-ac94b4e8-791d-42c3-923b-d871496199d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "40:ba9b962b-bc66-4c05-89c7-bbcfea69b19d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "42:indexpattern-datasource-layer-1b283aa0-01f0-4d69-9338-1d312aa7409a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "42:5fd25934-f4ed-4561-8e83-22d8642198fe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-7e178c80-fee1-11e9-8405-516218e3d268",
+ "name": "43:panel_43",
+ "type": "search"
+ },
+ {
+ "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268",
+ "name": "45:panel_45",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290:indexpattern-datasource-layer-d498ce52-e422-4548-869e-12b54ca2a5de",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290:042819ba-9576-492a-9bad-c3febb27fd0d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b:indexpattern-datasource-layer-b1157a10-8ee7-4ce0-8fa3-3088007e12a6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b:25cdfdc0-53d7-4cf7-b982-a59694f34875",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3016efc8-187d-4630-892d-af2160a584d7:indexpattern-datasource-layer-066e9369-184c-4225-b244-7e8d029e52c1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "33cef054-615a-49cb-bb2e-eb55fab96ae5:indexpattern-datasource-layer-d80f3769-ceeb-46ac-888d-8177bbbfa43c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "33cef054-615a-49cb-bb2e-eb55fab96ae5:5e7b0749-4021-4e07-a255-71965ec7f574",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e0d495aa-f897-403f-815b-6116fae330b7:indexpattern-datasource-layer-f3ae7a76-3702-4e40-aa81-849598fa2b3c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e0d495aa-f897-403f-815b-6116fae330b7:b7ec06e9-b2f3-4ec6-813b-e8cc45150c28",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/test/packages/parallel/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json
new file mode 100644
index 000000000..09439c5f0
--- /dev/null
+++ b/test/packages/parallel/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json
@@ -0,0 +1,1832 @@
+{
+ "attributes": {
+ "description": "Failed and blocked accounts.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": [
+ "system.security",
+ "windows.forwarded",
+ "windows.security"
+ ],
+ "type": "phrases"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.forwarded"
+ }
+ },
+ {
+ "match_phrase": {
+ "data_stream.dataset": "windows.security"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": false
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "### **Failed Logons and Account Lockouts**",
+ "openLinksInNewTab": false
+ },
+ "title": "Failed Logon and Account Lockout [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 7,
+ "i": "1",
+ "w": 14,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "1",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-51928276-cada-4ce4-8054-672e298c095f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c5560265-9668-4020-acf5-2f125a50e192",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "51928276-cada-4ce4-8054-672e298c095f": {
+ "columnOrder": [
+ "07d2d99e-f8e9-4d2c-9361-637a3e327459",
+ "1e7f30e1-cab2-4099-a7c1-6debb680be54"
+ ],
+ "columns": {
+ "07d2d99e-f8e9-4d2c-9361-637a3e327459": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Filters",
+ "operationType": "filters",
+ "params": {
+ "filters": [
+ {
+ "input": {
+ "language": "lucene",
+ "query": "event.code: 4624"
+ },
+ "label": "Successful Logon"
+ },
+ {
+ "input": {
+ "language": "lucene",
+ "query": "event.code: 4625"
+ },
+ "label": "Failed Logons"
+ }
+ ]
+ },
+ "scale": "ordinal"
+ },
+ "1e7f30e1-cab2-4099-a7c1-6debb680be54": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "c5560265-9668-4020-acf5-2f125a50e192",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "emptySizeRatio": 0.3,
+ "layerId": "51928276-cada-4ce4-8054-672e298c095f",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 1,
+ "legendPosition": "bottom",
+ "legendSize": "auto",
+ "metrics": [
+ "1e7f30e1-cab2-4099-a7c1-6debb680be54"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "07d2d99e-f8e9-4d2c-9361-637a3e327459"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "Logon Successful vs Failed [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 18,
+ "i": "2",
+ "w": 12,
+ "x": 0,
+ "y": 7
+ },
+ "panelIndex": "2",
+ "title": "Logon Successful vs Failed [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "field": "winlog.event_data.TargetUserName",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 20
+ },
+ "schema": "segment",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4740"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4740",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security "
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "bucket": {
+ "accessor": 0,
+ "format": {
+ "id": "terms",
+ "params": {
+ "id": "string",
+ "missingBucketLabel": "Missing",
+ "otherBucketLabel": "Other",
+ "parsedUrl": {
+ "basePath": "/s/siem",
+ "origin": "https://192.168.1.72:5601",
+ "pathname": "/s/siem/app/kibana"
+ }
+ }
+ },
+ "type": "vis_dimension"
+ },
+ "maxFontSize": 53,
+ "metric": {
+ "accessor": 1,
+ "format": {
+ "id": "string",
+ "params": {}
+ },
+ "type": "vis_dimension"
+ },
+ "minFontSize": 18,
+ "orientation": "single",
+ "scale": "linear",
+ "showLabel": false
+ },
+ "title": "Blocked Accounts Tag [Windows System Security]",
+ "type": "tagcloud",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 21,
+ "i": "3",
+ "w": 12,
+ "x": 12,
+ "y": 35
+ },
+ "panelIndex": "3",
+ "title": "Blocked Acoounts",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-892d74e5-47d2-4c42-80d9-4bc979530ef2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "14b89fc0-8a6c-47a7-b5e3-516699233c61",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "892d74e5-47d2-4c42-80d9-4bc979530ef2": {
+ "columnOrder": [
+ "8b1cbfde-e270-446d-a789-2a1d26f4480a",
+ "37216882-b7d2-4179-af7f-9bd64d35e0bd",
+ "50c2ab55-2ea4-4bd9-a7fd-3037baaea103"
+ ],
+ "columns": {
+ "37216882-b7d2-4179-af7f-9bd64d35e0bd": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Filters",
+ "operationType": "filters",
+ "params": {
+ "filters": [
+ {
+ "input": {
+ "language": "lucene",
+ "query": "event.code: 4624"
+ },
+ "label": "Logon Successful"
+ },
+ {
+ "input": {
+ "language": "lucene",
+ "query": "event.code: 4625"
+ },
+ "label": "Logon Failed"
+ }
+ ]
+ },
+ "scale": "ordinal"
+ },
+ "50c2ab55-2ea4-4bd9-a7fd-3037baaea103": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "8b1cbfde-e270-446d-a789-2a1d26f4480a": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": false,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "14b89fc0-8a6c-47a7-b5e3-516699233c61",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "curveType": "LINEAR",
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": -90
+ },
+ "layers": [
+ {
+ "accessors": [
+ "50c2ab55-2ea4-4bd9-a7fd-3037baaea103"
+ ],
+ "isHistogram": true,
+ "layerId": "892d74e5-47d2-4c42-80d9-4bc979530ef2",
+ "layerType": "data",
+ "seriesType": "bar_stacked",
+ "simpleView": false,
+ "splitAccessor": "37216882-b7d2-4179-af7f-9bd64d35e0bd",
+ "xAccessor": "8b1cbfde-e270-446d-a789-2a1d26f4480a",
+ "xScaleType": "time",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "50c2ab55-2ea4-4bd9-a7fd-3037baaea103"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "maxLines": 1,
+ "position": "bottom",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "showCurrentTimeMarker": false,
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": false,
+ "yLeftExtent": {
+ "enforce": true,
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightScale": "linear",
+ "yTitle": "Count"
+ }
+ },
+ "title": "Logon Successful - Logon Failed Timeline [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 18,
+ "i": "4",
+ "w": 23,
+ "x": 12,
+ "y": 7
+ },
+ "panelIndex": "4",
+ "title": "Logon Successful - Logon Failed Timeline [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {},
+ "schema": "metric",
+ "type": "count"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "field": "user.name",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
+ "order": "desc",
+ "orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
+ "size": 10
+ },
+ "schema": "segment",
+ "type": "terms"
+ }
+ ],
+ "searchSource": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4625",
+ "4771"
+ ],
+ "type": "phrases",
+ "value": "4625, 4771"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4625"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4771"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "bucket": {
+ "accessor": 0,
+ "format": {
+ "id": "terms",
+ "params": {
+ "id": "string",
+ "missingBucketLabel": "Missing",
+ "otherBucketLabel": "Other",
+ "parsedUrl": {
+ "basePath": "/s/siem",
+ "origin": "https://192.168.1.72:5601",
+ "pathname": "/s/siem/app/kibana"
+ }
+ }
+ },
+ "type": "vis_dimension"
+ },
+ "maxFontSize": 37,
+ "metric": {
+ "accessor": 1,
+ "format": {
+ "id": "string",
+ "params": {}
+ },
+ "type": "vis_dimension"
+ },
+ "minFontSize": 15,
+ "orientation": "single",
+ "scale": "linear",
+ "showLabel": false
+ },
+ "title": "Logon Failed Acconts [Windows System Security]",
+ "type": "tagcloud",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 21,
+ "i": "5",
+ "w": 12,
+ "x": 0,
+ "y": 35
+ },
+ "panelIndex": "5",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0ca1181c-9c17-4b68-9da9-e90032ba66a0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4a5e2651-5d45-4b6b-a761-c8cb22fb8a70",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "662ad73f-d904-4d2c-86b0-d677879a602c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0ca1181c-9c17-4b68-9da9-e90032ba66a0": {
+ "columnOrder": [
+ "891a49e8-cd86-401a-8901-911327320374",
+ "176619c3-a6a7-4793-b36f-2e24a88de891",
+ "ccbc2e70-16e1-45e0-841e-1b9349badf37"
+ ],
+ "columns": {
+ "176619c3-a6a7-4793-b36f-2e24a88de891": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "h"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "891a49e8-cd86-401a-8901-911327320374": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "user.name: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ccbc2e70-16e1-45e0-841e-1b9349badf37",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 15
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "ccbc2e70-16e1-45e0-841e-1b9349badf37": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "4a5e2651-5d45-4b6b-a761-c8cb22fb8a70",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4625"
+ ],
+ "type": "phrases",
+ "value": "4625"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4625"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "662ad73f-d904-4d2c-86b0-d677879a602c",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "gridConfig": {
+ "isCellLabelVisible": true,
+ "isXAxisLabelVisible": true,
+ "isXAxisTitleVisible": true,
+ "isYAxisLabelVisible": true,
+ "isYAxisTitleVisible": true,
+ "type": "heatmap_grid"
+ },
+ "layerId": "0ca1181c-9c17-4b68-9da9-e90032ba66a0",
+ "layerType": "data",
+ "legend": {
+ "isVisible": false,
+ "position": "bottom",
+ "type": "heatmap_legend"
+ },
+ "palette": {
+ "accessor": "ccbc2e70-16e1-45e0-841e-1b9349badf37",
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#FFFFCC",
+ "stop": 0
+ },
+ {
+ "color": "#FEE187",
+ "stop": 20
+ },
+ {
+ "color": "#FEAB4C",
+ "stop": 40
+ },
+ {
+ "color": "#F95C2E",
+ "stop": 60
+ },
+ {
+ "color": "#D31020",
+ "stop": 80
+ }
+ ],
+ "continuity": "none",
+ "maxSteps": 5,
+ "name": "custom",
+ "progression": "fixed",
+ "rangeMax": 100,
+ "rangeMin": 0,
+ "rangeType": "percent",
+ "reverse": false,
+ "stops": [
+ {
+ "color": "#FFFFCC",
+ "stop": 20
+ },
+ {
+ "color": "#FEE187",
+ "stop": 40
+ },
+ {
+ "color": "#FEAB4C",
+ "stop": 60
+ },
+ {
+ "color": "#F95C2E",
+ "stop": 80
+ },
+ {
+ "color": "#D31020",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "shape": "heatmap",
+ "valueAccessor": "ccbc2e70-16e1-45e0-841e-1b9349badf37",
+ "xAccessor": "891a49e8-cd86-401a-8901-911327320374",
+ "yAccessor": "176619c3-a6a7-4793-b36f-2e24a88de891"
+ }
+ },
+ "title": "Failed Logon HeatMap [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsHeatmap"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 30,
+ "i": "6",
+ "w": 48,
+ "x": 0,
+ "y": 56
+ },
+ "panelIndex": "6",
+ "title": "Failed Logon HeatMap [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 20,
+ "i": "8",
+ "w": 48,
+ "x": 0,
+ "y": 86
+ },
+ "panelIndex": "8",
+ "panelRefName": "panel_8",
+ "title": "Logon Failed and Account Lockouts",
+ "type": "search",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b205119a-3d44-424a-b471-3adc7b233437",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d0cc9cbc-3f24-4f1d-a33f-d6161d3e1323",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d16c0ea3-8535-405e-a080-314609ff2eb9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b205119a-3d44-424a-b471-3adc7b233437": {
+ "columnOrder": [
+ "6c00efd4-5d72-4cb3-bd7f-805f413d6368",
+ "5a76cdff-8d92-4431-967b-ead53ef7c47e",
+ "6035bb34-7f8b-43b6-9a35-a286b0e42b68",
+ "c6126afa-c771-4709-a1e8-ce1598a07d96",
+ "b95d6baa-4b3d-4f61-ae4f-8981aed9a448",
+ "d0645d98-f6dd-4f10-811e-7fef21a41c3e",
+ "f0f3ac3f-402d-41e8-87b4-e3416b3b4e31",
+ "6034755d-4e5f-46e8-8700-7397eca1b2c7"
+ ],
+ "columns": {
+ "5a76cdff-8d92-4431-967b-ead53ef7c47e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "user.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 1000
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "6034755d-4e5f-46e8-8700-7397eca1b2c7": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "6035bb34-7f8b-43b6-9a35-a286b0e42b68": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "source workstation",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "source.domain"
+ },
+ "6c00efd4-5d72-4cb3-bd7f-805f413d6368": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "Time Bucket",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": false,
+ "interval": "h"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "b95d6baa-4b3d-4f61-ae4f-8981aed9a448": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "c6126afa-c771-4709-a1e8-ce1598a07d96": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "source.ip",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "d0645d98-f6dd-4f10-811e-7fef21a41c3e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "winlog.logon.type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.type"
+ },
+ "f0f3ac3f-402d-41e8-87b4-e3416b3b4e31": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "winlog.event_data.SubjectUserName",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SubjectUserName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d0cc9cbc-3f24-4f1d-a33f-d6161d3e1323",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4625"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4625",
+ "type": "phrase"
+ }
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d16c0ea3-8535-405e-a080-314609ff2eb9",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "6034755d-4e5f-46e8-8700-7397eca1b2c7"
+ },
+ {
+ "alignment": "left",
+ "columnId": "6c00efd4-5d72-4cb3-bd7f-805f413d6368"
+ },
+ {
+ "alignment": "left",
+ "columnId": "5a76cdff-8d92-4431-967b-ead53ef7c47e"
+ },
+ {
+ "alignment": "left",
+ "columnId": "6035bb34-7f8b-43b6-9a35-a286b0e42b68"
+ },
+ {
+ "alignment": "left",
+ "columnId": "c6126afa-c771-4709-a1e8-ce1598a07d96"
+ },
+ {
+ "alignment": "left",
+ "columnId": "b95d6baa-4b3d-4f61-ae4f-8981aed9a448"
+ },
+ {
+ "alignment": "left",
+ "columnId": "d0645d98-f6dd-4f10-811e-7fef21a41c3e"
+ },
+ {
+ "alignment": "left",
+ "columnId": "f0f3ac3f-402d-41e8-87b4-e3416b3b4e31"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "b205119a-3d44-424a-b471-3adc7b233437",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 15
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Logon Failed Table [Windows System Security]",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 31,
+ "i": "11",
+ "w": 24,
+ "x": 24,
+ "y": 25
+ },
+ "panelIndex": "11",
+ "title": "Logon Failed Table [Windows System Security]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | **Logon Failed and Account Lockout** | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)",
+ "openLinksInNewTab": false
+ },
+ "title": "Dashboard links [Windows System Security]",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 7,
+ "i": "628de26f-7b7b-457c-b811-e06161e4e7b4",
+ "w": 34,
+ "x": 14,
+ "y": 0
+ },
+ "panelIndex": "628de26f-7b7b-457c-b811-e06161e4e7b4",
+ "title": "",
+ "type": "visualization",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2f8af088-1452-476f-9b74-7854a8e9d8a3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d192bb2b-0add-406e-8fa5-d749aa93cd68",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9ba1595f-e9a3-4987-9eb0-21d2714752ef",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "2f8af088-1452-476f-9b74-7854a8e9d8a3": {
+ "columnOrder": [
+ "70837b96-3c24-4578-9988-3e91c976bf09",
+ "b2c05801-5cfa-40a5-9988-1aa4056ba903"
+ ],
+ "columns": {
+ "70837b96-3c24-4578-9988-3e91c976bf09": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Logon Source IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b2c05801-5cfa-40a5-9988-1aa4056ba903",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "b2c05801-5cfa-40a5-9988-1aa4056ba903": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "d192bb2b-0add-406e-8fa5-d749aa93cd68",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4625"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4625"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "winlog.provider_name",
+ "index": "9ba1595f-e9a3-4987-9eb0-21d2714752ef",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b2c05801-5cfa-40a5-9988-1aa4056ba903"
+ ],
+ "layerId": "2f8af088-1452-476f-9b74-7854a8e9d8a3",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "70837b96-3c24-4578-9988-3e91c976bf09"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 18,
+ "i": "13f5fdc0-b503-4e37-a39e-a2365be6356d",
+ "w": 13,
+ "x": 35,
+ "y": 7
+ },
+ "panelIndex": "13f5fdc0-b503-4e37-a39e-a2365be6356d",
+ "title": "Logon Failed Source IPs",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f29083db-60ee-4050-a6fd-3c8ec6f2b86c": {
+ "columnOrder": [
+ "e4afb6fa-36ce-46cc-bea2-175b29605d8a"
+ ],
+ "columns": {
+ "e4afb6fa-36ce-46cc-bea2-175b29605d8a": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \"4625\")"
+ },
+ "isBucketed": false,
+ "label": "Failed Logon",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-f29083db-60ee-4050-a6fd-3c8ec6f2b86c",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "e4afb6fa-36ce-46cc-bea2-175b29605d8a",
+ "layerId": "f29083db-60ee-4050-a6fd-3c8ec6f2b86c",
+ "layerType": "data"
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 10,
+ "i": "af0b27cf-3a49-4180-bd15-a399f7b349b3",
+ "w": 12,
+ "x": 0,
+ "y": 25
+ },
+ "panelIndex": "af0b27cf-3a49-4180-bd15-a399f7b349b3",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7b50ca11-6492-47c9-bb57-5d2e88f51719": {
+ "columnOrder": [
+ "46e6f211-0dc7-4f4f-963d-033c09854126"
+ ],
+ "columns": {
+ "46e6f211-0dc7-4f4f-963d-033c09854126": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.code: \"4740\""
+ },
+ "isBucketed": false,
+ "label": "Blocked Accounts",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "user.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-7b50ca11-6492-47c9-bb57-5d2e88f51719",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "46e6f211-0dc7-4f4f-963d-033c09854126",
+ "layerId": "7b50ca11-6492-47c9-bb57-5d2e88f51719",
+ "layerType": "data"
+ }
+ },
+ "title": "TSVB visualization",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 10,
+ "i": "d69a5e0c-274d-4515-8f31-737b9ecbddba",
+ "w": 12,
+ "x": 12,
+ "y": 25
+ },
+ "panelIndex": "d69a5e0c-274d-4515-8f31-737b9ecbddba",
+ "title": "",
+ "type": "lens",
+ "version": "8.7.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[System Windows Security] Failed and Blocked Accounts",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-d401ef40-a7d5-11e9-a422-d144027429da",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2:indexpattern-datasource-layer-51928276-cada-4ce4-8054-672e298c095f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2:c5560265-9668-4020-acf5-2f125a50e192",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4:indexpattern-datasource-layer-892d74e5-47d2-4c42-80d9-4bc979530ef2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4:14b89fc0-8a6c-47a7-b5e3-516699233c61",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6:indexpattern-datasource-layer-0ca1181c-9c17-4b68-9da9-e90032ba66a0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6:4a5e2651-5d45-4b6b-a761-c8cb22fb8a70",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6:662ad73f-d904-4d2c-86b0-d677879a602c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-757510b0-a87f-11e9-a422-d144027429da",
+ "name": "8:panel_8",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "11:indexpattern-datasource-layer-b205119a-3d44-424a-b471-3adc7b233437",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "11:d0cc9cbc-3f24-4f1d-a33f-d6161d3e1323",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "11:d16c0ea3-8535-405e-a080-314609ff2eb9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "13f5fdc0-b503-4e37-a39e-a2365be6356d:indexpattern-datasource-layer-2f8af088-1452-476f-9b74-7854a8e9d8a3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "13f5fdc0-b503-4e37-a39e-a2365be6356d:d192bb2b-0add-406e-8fa5-d749aa93cd68",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "13f5fdc0-b503-4e37-a39e-a2365be6356d:9ba1595f-e9a3-4987-9eb0-21d2714752ef",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/test/packages/parallel/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json
new file mode 100644
index 000000000..82486ae0c
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json
@@ -0,0 +1,101 @@
+{
+ "attributes": {
+ "columns": [
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "event.action",
+ "winlog.logon.type",
+ "winlog.event_data.SubjectUserName"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4625"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4625"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "User Logouts [Windows System Security]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json
new file mode 100644
index 000000000..2927c111b
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json
@@ -0,0 +1,144 @@
+{
+ "attributes": {
+ "columns": [
+ "event.action",
+ "winlog.event_data.TargetUserName",
+ "user.domain",
+ "user.name",
+ "winlog.event_data.SubjectDomainName",
+ "winlog.logon.id",
+ "related.user"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4720",
+ "4722",
+ "4723",
+ "4724",
+ "4725",
+ "4726",
+ "4738",
+ "4740",
+ "4767",
+ "4781",
+ "4798"
+ ],
+ "type": "phrases",
+ "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4720"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4722"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4723"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4724"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4725"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4726"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4738"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4740"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4767"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4781"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4798"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "User management Details - Search [Windows System Security]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-324686c0-fefb-11e9-8405-516218e3d268",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/test/packages/parallel/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json
new file mode 100644
index 000000000..97614d9a9
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json
@@ -0,0 +1,51 @@
+{
+ "attributes": {
+ "columns": [
+ "system.auth.ssh.event",
+ "system.auth.ssh.method",
+ "user.name",
+ "source.ip",
+ "source.geo.country_iso_code"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:system.auth AND system.auth.ssh.event:*"
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "SSH login attempts [Logs System]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/test/packages/parallel/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json
new file mode 100644
index 000000000..a4db9fdd6
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json
@@ -0,0 +1,88 @@
+{
+ "attributes": {
+ "columns": [
+ "user.name",
+ "source.domain",
+ "source.ip",
+ "winlog.logon.id",
+ "event.action"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4778",
+ "4779"
+ ],
+ "type": "phrases",
+ "value": "4778, 4779"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4778"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4779"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Remote Interactive Connections and Disconnections [Windows System Security]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/test/packages/parallel/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json
new file mode 100644
index 000000000..e1efc40d0
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json
@@ -0,0 +1,116 @@
+{
+ "attributes": {
+ "columns": [
+ "event.action",
+ "user.name",
+ "related.user",
+ "user.domain",
+ "source.domain",
+ "source.ip",
+ "winlog.event_data.SubjectUserName"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4625",
+ "4740"
+ ],
+ "type": "phrases",
+ "value": "4625, 4740"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4625"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4740"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "winlog.provider_name",
+ "negate": false,
+ "params": {
+ "query": "Microsoft-Windows-Security-Auditing"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "winlog.provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "3. Login Failed Details",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-757510b0-a87f-11e9-a422-d144027429da",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json
new file mode 100644
index 000000000..728ec1dc1
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json
@@ -0,0 +1,82 @@
+{
+ "attributes": {
+ "columns": [
+ "user.name",
+ "source.domain",
+ "source.ip",
+ "winlog.logon.id",
+ "winlog.logon.type"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4624"
+ ],
+ "type": "phrases",
+ "value": "4624"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4624"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Logon Details [Windows System Security]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-7e178c80-fee1-11e9-8405-516218e3d268",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/test/packages/parallel/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json
new file mode 100644
index 000000000..1f4d2568e
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json
@@ -0,0 +1,51 @@
+{
+ "attributes": {
+ "columns": [
+ "user.name",
+ "user.id",
+ "group.id",
+ "system.auth.useradd.home",
+ "system.auth.useradd.shell"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "system.auth.useradd:*"
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "useradd logs [Logs System]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/test/packages/parallel/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json
new file mode 100644
index 000000000..85ebf3746
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json
@@ -0,0 +1,263 @@
+{
+ "attributes": {
+ "columns": [
+ "event.action",
+ "group.name",
+ "group.domain",
+ "user.name",
+ "user.domain",
+ "host.name"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4731",
+ "4732",
+ "4733",
+ "4734",
+ "4735",
+ "4737",
+ "4764",
+ "4727",
+ "4728",
+ "4729",
+ "4730",
+ "4754",
+ "4755",
+ "4756",
+ "4757",
+ "4758",
+ "4799",
+ "4749",
+ "4750",
+ "4751",
+ "4752",
+ "4753",
+ "4759",
+ "4760",
+ "4761",
+ "4762",
+ "4763",
+ "4744",
+ "4745",
+ "4746",
+ "4748"
+ ],
+ "type": "phrases",
+ "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748"
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4731"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4732"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4733"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4734"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4735"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4737"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4764"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4727"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4728"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4729"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4730"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4754"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4755"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4756"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4757"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4758"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4799"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4749"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4750"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4751"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4752"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4753"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4759"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4760"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4761"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4762"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4763"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4744"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4745"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4746"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4748"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Group Management Details - Search View [Windows System Security]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-Syslog-system-logs.json b/test/packages/parallel/system/kibana/search/system-Syslog-system-logs.json
new file mode 100644
index 000000000..5619eb7db
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-Syslog-system-logs.json
@@ -0,0 +1,62 @@
+{
+ "attributes": {
+ "columns": [
+ "host.hostname",
+ "process.name",
+ "message"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlight": {
+ "fields": {
+ "*": {}
+ },
+ "fragment_size": 2147483647,
+ "post_tags": [
+ "@/kibana-highlighted-field@"
+ ],
+ "pre_tags": [
+ "@kibana-highlighted-field@"
+ ],
+ "require_field_match": false
+ },
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:system.syslog"
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Syslog logs [Logs System]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-Syslog-system-logs",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/test/packages/parallel/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json
new file mode 100644
index 000000000..f8e0c8787
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json
@@ -0,0 +1,50 @@
+{
+ "attributes": {
+ "columns": [
+ "user.name",
+ "system.auth.sudo.user",
+ "system.auth.sudo.pwd",
+ "system.auth.sudo.command"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "system.auth.sudo:*"
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Sudo commands [Logs System]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/test/packages/parallel/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json
new file mode 100644
index 000000000..cee2784d8
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json
@@ -0,0 +1,77 @@
+{
+ "attributes": {
+ "columns": [
+ "user.name",
+ "winlog.logon.type",
+ "source.domain",
+ "source.ip",
+ "winlog.logon.id"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4624"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match": {
+ "event.code": {
+ "query": "4624",
+ "type": "phrase"
+ }
+ }
+ }
+ }
+ ],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security"
+ },
+ "version": true
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "User Logons [Windows System Security]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-04T21:59:59.346Z",
+ "id": "system-ce71c9a0-a25e-11e9-a422-d144027429da",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/test/packages/parallel/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json
new file mode 100644
index 000000000..410853e5d
--- /dev/null
+++ b/test/packages/parallel/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json
@@ -0,0 +1,48 @@
+{
+ "attributes": {
+ "columns": [
+ "group.name",
+ "group.id"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "system.auth.groupadd:*"
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "groupadd logs [Logs System]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.1",
+ "created_at": "2023-03-23T04:03:56.987Z",
+ "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-fleet-pkg-system-default",
+ "name": "tag-ref-fleet-pkg-system-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/test/packages/parallel/system/manifest.yml b/test/packages/parallel/system/manifest.yml
new file mode 100644
index 000000000..5525fdd27
--- /dev/null
+++ b/test/packages/parallel/system/manifest.yml
@@ -0,0 +1,124 @@
+format_version: 1.0.0
+name: system
+title: System
+version: 1.33.0
+license: basic
+description: Collect system logs and metrics from your servers with Elastic Agent (TSDB Beta).
+type: integration
+categories:
+ - os_system
+release: ga
+conditions:
+ kibana.version: '^8.8.0'
+screenshots:
+ - src: /img/kibana-system.png
+ title: kibana system
+ size: 1220x852
+ type: image/png
+ - src: /img/metricbeat_system_dashboard.png
+ title: metricbeat system dashboard
+ size: 2097x1933
+ type: image/png
+icons:
+ - src: /img/system.svg
+ title: system
+ size: 1000x1000
+ type: image/svg+xml
+policy_templates:
+ - name: system
+ title: System logs and metrics
+ description: Collect logs and metrics from System instances
+ inputs:
+ - type: logfile
+ title: Collect logs from System instances
+ description: Collecting System auth and syslog logs
+ - type: winlog
+ title: 'Collect events from the Windows event log'
+ description: 'Collecting events from Windows event log'
+ - type: system/metrics
+ title: Collect metrics from System instances
+ description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics
+ vars:
+ - name: system.hostfs
+ type: text
+ title: Proc Filesystem Directory
+ multi: false
+ required: false
+ show_user: true
+ description: The proc filesystem base directory.
+ - type: httpjson
+ title: Collect logs from third-party REST API (experimental)
+ description: Collect logs from third-party REST API (experimental)
+ vars:
+ - name: url
+ type: text
+ title: URL of Splunk Enterprise Server
+ description: i.e. scheme://host:port, path is automatic
+ show_user: true
+ required: true
+ default: https://server.example.com:8089
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ required: false
+ show_user: false
+ description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. The logs are part of agent's diagnostics dump under `logs/httpjson/http-request-trace-.ndjson`. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.
+ - name: username
+ type: text
+ title: Splunk REST API Username
+ show_user: true
+ required: false
+ - name: password
+ type: password
+ title: Splunk REST API Password
+ show_user: true
+ required: false
+ - name: token
+ type: password
+ title: Splunk Authorization Token
+ description: |
+ Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..."
+ or "Splunk 192fd3e...". Cannot be used with username
+ and password.
+ show_user: true
+ required: false
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+owner:
+ github: elastic/obs-infraobs-integrations
diff --git a/test/packages/parallel/system/script.py b/test/packages/parallel/system/script.py
new file mode 100644
index 000000000..178eb89fc
--- /dev/null
+++ b/test/packages/parallel/system/script.py
@@ -0,0 +1,50 @@
+import argparse
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser()
+ parser.add_argument("--list", required=True)
+ parser.add_argument("--reference", required=False)
+ parser.add_argument("--dashboard", required=False)
+ parser.add_argument("--all_dashboards", action="store_true", required=False)
+
+ args = parser.parse_args()
+
+ lines = []
+ with open(args.list, "r") as f:
+ lines = f.readlines()
+ dashboards_references = {}
+ references_dashboards = {}
+
+ for line in lines:
+ fields = line.split(":")
+ dashboard = fields[0]
+
+ references = [r.strip() for r in fields[1].split(",")]
+
+ dashboards_references[dashboard] = references
+
+ for r in references:
+ if r in references_dashboards:
+ references_dashboards[r].append(dashboard)
+ else:
+ references_dashboards[r] = [dashboard]
+
+ if args.reference:
+ print(references_dashboards[args.reference])
+
+ if args.dashboard:
+ print(dashboards_references[args.dashboard])
+ for ref in dashboards_references[args.dashboard]:
+ number = len(references_dashboards[ref])
+ print(f" - {ref}: {number}")
+
+ print("")
+
+ if args.all_dashboards:
+ for dashboard in dashboards_references:
+ print(f"Dashboard {dashboard}:")
+ for ref in dashboards_references[dashboard]:
+ number = len(references_dashboards[ref])
+ print(f" - {ref}: {number}")
+ print("")