From 121782734cf5467d8d315f161cffc465044461e5 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Tue, 5 May 2020 09:33:07 -0500 Subject: [PATCH 1/2] [Filebeat] Improve ECS categorization field mappings in osquery module (#17881) * Improve ECS categorization field mappings in osquery module - event.action - event.kind - event.type - file.accessed - file.created - file.directory - file.gid - file.inode - file.mode - file.mtime - file.name - file.path - file.size - file.type - file.uid - host.hostname - host.id - process.name - related.user - rule.name - url.full - user.name Closes #16176 * Fix misspelling of username & set ECS version (cherry picked from commit 282b084149cba777e93aea9d455094f6a1f1c06e) --- CHANGELOG.next.asciidoc | 1 + .../module/osquery/result/config/result.yml | 5 + .../osquery/result/ingest/pipeline.json | 158 ++++ .../test/osquery.rootkit.log-expected.json | 384 +++++++++ .../osqueryd.results.darwin.log-expected.json | 758 +++++++++++++++++- .../osqueryd.results.sample.log-expected.json | 734 +++++++++++++++++ .../result/test/test.log-expected.json | 8 + 7 files changed, 2046 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4bf08898fc8d..e3662e521f10 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -364,6 +364,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings for zeek module. {issue}16029[16029] {pull}17738[17738] - Improve ECS categorization field mappings for netflow module. {issue}16135[16135] {pull}18108[18108] - Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065] +- Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881] *Heartbeat* diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml index 28a93562b905..f35881687e8e 100644 --- a/filebeat/module/osquery/result/config/result.yml +++ b/filebeat/module/osquery/result/config/result.yml @@ -6,3 +6,8 @@ paths: exclude_files: [".gz$"] json.overwrite_keys: true json.add_error_key: true +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json index 1c03e6eb1903..905cba699153 100644 --- a/filebeat/module/osquery/result/ingest/pipeline.json +++ b/filebeat/module/osquery/result/ingest/pipeline.json @@ -42,6 +42,164 @@ "target_field": "osquery.result.calendar_time", "ignore_missing": true } + }, + { + "set": { + "field": "event.kind", + "value": "event" + } + }, + { + "set": { + "field": "event.type", + "value": "info" + } + }, + { + "set": { + "field": "event.action", + "value": "{{osquery.result.action}}", + "if": "ctx?.osquery?.result?.action != null" + } + }, + { + "date": { + "field": "osquery.result.columns.atime", + "target_field": "file.accessed", + "formats": ["UNIX"], + "ignore_failure": true, + "if": "ctx?.osquery?.result?.columns?.atime != null" + } + }, + { + "date": { + "field": "osquery.result.columns.ctime", + "target_field": "file.created", + "formats": ["UNIX"], + "ignore_failure": true, + "if": "ctx?.osquery?.result?.columns?.ctime != null" + } + }, + { + "date": { + "field": "osquery.result.columns.mtime", + "target_field": "file.mtime", + "formats": ["UNIX"], + "ignore_failure": true, + "if": "ctx?.osquery?.result?.columns?.mtime != null" + } + }, + { + "set": { + "field": "file.directory", + "value": "{{osquery.result.columns.directory}}", + "if": "ctx?.osquery?.result?.columns?.directory != null" + } + }, + { + "set": { + "field": "file.name", + "value": "{{osquery.result.columns.filename}}", + "if": "ctx?.osquery?.result?.columns?.filename != null" + } + }, + { + "set": { + "field": "file.gid", + "value": "{{osquery.result.columns.gid}}", + "if": "ctx?.osquery?.result?.columns?.gid != null" + } + }, + { + "set": { + "field": "file.inode", + "value": "{{osquery.result.columns.inode}}", + "if": "ctx?.osquery?.result?.columns?.inode != null" + } + }, + { + "set": { + "field": "file.mode", + "value": "{{osquery.result.columns.mode}}", + "if": "ctx?.osquery?.result?.columns?.mode != null" + } + }, + { + "set": { + "field": "file.path", + "value": "{{osquery.result.columns.path}}", + "if": "ctx?.osquery?.result?.columns?.path != null" + } + }, + { + "set": { + "field": "file.size", + "value": "{{osquery.result.columns.size}}", + "if": "ctx?.osquery?.result?.columns?.size != null" + } + }, + { + "set": { + "field": "file.type", + "value": "{{osquery.result.columns.type}}", + "if": "ctx?.osquery?.result?.columns?.type != null" + } + }, + { + "set": { + "field": "file.uid", + "value": "{{osquery.result.columns.uid}}", + "if": "ctx?.osquery?.result?.columns?.uid != null" + } + }, + { + "set": { + "field": "user.name", + "value": "{{osquery.result.decorations.username}}", + "if": "ctx?.osquery?.result?.decorations?.username != null" + } + }, + { + "append": { + "field": "related.user", + "value": "{{user.name}}", + "if": "ctx?.user?.name != null" + } + }, + { + "set": { + "field": "host.hostname", + "value": "{{osquery.result.host_identifier}}", + "if": "ctx?.osquery?.result?.host_identifier != null" + } + }, + { + "set": { + "field": "host.id", + "value": "{{osquery.result.decorations.host_uuid}}", + "if": "ctx?.osquery?.result?.decorations?.host_uuid != null" + } + }, + { + "set": { + "field": "process.name", + "value": "{{osquery.result.columns.process}}", + "if": "ctx?.osquery?.result?.columns?.process != null" + } + }, + { + "set": { + "field": "url.full", + "value": "{{osquery.result.columns.source_url}}", + "if": "ctx?.osquery?.result?.columns?.source_url != null && ctx.osquery.result.columns.source_url != 'null'" + } + }, + { + "set": { + "field": "rule.name", + "value": "{{osquery.result.name}}", + "if": "ctx?.osquery?.result?.name != null" + } } ], "on_failure" : [{ diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json index 3833a9c040ea..5e03b82457b1 100644 --- a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json +++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json @@ -1,9 +1,14 @@ [ { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 0, "osquery.result.action": "added", @@ -24,13 +29,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 490, "osquery.result.action": "added", @@ -51,13 +62,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 981, "osquery.result.action": "added", @@ -78,13 +95,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1469, "osquery.result.action": "added", @@ -105,13 +128,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1961, "osquery.result.action": "added", @@ -132,13 +161,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 2456, "osquery.result.action": "added", @@ -159,13 +194,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 2941, "osquery.result.action": "added", @@ -186,13 +227,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3430, "osquery.result.action": "added", @@ -213,13 +260,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3917, "osquery.result.action": "added", @@ -240,13 +293,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 4411, "osquery.result.action": "added", @@ -267,13 +326,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 4901, "osquery.result.action": "added", @@ -294,13 +359,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5393, "osquery.result.action": "added", @@ -321,13 +392,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5881, "osquery.result.action": "added", @@ -348,13 +425,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6375, "osquery.result.action": "added", @@ -375,13 +458,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6865, "osquery.result.action": "added", @@ -402,13 +491,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 7353, "osquery.result.action": "added", @@ -429,13 +524,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 7841, "osquery.result.action": "added", @@ -456,13 +557,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8334, "osquery.result.action": "added", @@ -483,13 +590,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8826, "osquery.result.action": "added", @@ -510,13 +623,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 9319, "osquery.result.action": "added", @@ -537,13 +656,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 9805, "osquery.result.action": "added", @@ -564,13 +689,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10292, "osquery.result.action": "added", @@ -591,13 +722,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10780, "osquery.result.action": "added", @@ -618,13 +755,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 11269, "osquery.result.action": "added", @@ -645,13 +788,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 11762, "osquery.result.action": "added", @@ -672,13 +821,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12249, "osquery.result.action": "added", @@ -699,13 +854,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12743, "osquery.result.action": "added", @@ -726,13 +887,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 13227, "osquery.result.action": "added", @@ -753,13 +920,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 13717, "osquery.result.action": "added", @@ -780,13 +953,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 14207, "osquery.result.action": "added", @@ -807,13 +986,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 14695, "osquery.result.action": "added", @@ -834,13 +1019,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15181, "osquery.result.action": "added", @@ -861,13 +1052,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15675, "osquery.result.action": "added", @@ -888,13 +1085,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16168, "osquery.result.action": "added", @@ -915,13 +1118,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16656, "osquery.result.action": "added", @@ -942,13 +1151,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 17143, "osquery.result.action": "added", @@ -969,13 +1184,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 17625, "osquery.result.action": "added", @@ -996,13 +1217,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18119, "osquery.result.action": "added", @@ -1023,13 +1250,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18601, "osquery.result.action": "added", @@ -1050,13 +1283,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 19096, "osquery.result.action": "added", @@ -1077,13 +1316,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 19591, "osquery.result.action": "added", @@ -1104,13 +1349,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20074, "osquery.result.action": "added", @@ -1131,13 +1382,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20565, "osquery.result.action": "added", @@ -1158,13 +1415,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 21050, "osquery.result.action": "added", @@ -1185,13 +1448,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 21555, "osquery.result.action": "added", @@ -1212,13 +1481,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22045, "osquery.result.action": "added", @@ -1239,13 +1514,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22540, "osquery.result.action": "added", @@ -1266,13 +1547,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 23030, "osquery.result.action": "added", @@ -1293,13 +1580,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 23522, "osquery.result.action": "added", @@ -1320,13 +1613,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24015, "osquery.result.action": "added", @@ -1347,13 +1646,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24505, "osquery.result.action": "added", @@ -1374,13 +1679,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24991, "osquery.result.action": "added", @@ -1401,13 +1712,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25483, "osquery.result.action": "added", @@ -1428,13 +1745,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25970, "osquery.result.action": "added", @@ -1455,13 +1778,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 26459, "osquery.result.action": "added", @@ -1482,13 +1811,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 26951, "osquery.result.action": "added", @@ -1509,13 +1844,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 27441, "osquery.result.action": "added", @@ -1536,13 +1877,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 27932, "osquery.result.action": "added", @@ -1563,13 +1910,31 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T17:06:29.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.accessed": "2018-01-08T17:06:06.000Z", + "file.created": "2018-01-08T17:06:01.000Z", + "file.directory": "/tmp/.font-unix", + "file.gid": "0", + "file.inode": "256622", + "file.mode": "0644", + "file.mtime": "2018-01-08T17:06:01.000Z", + "file.name": ".cinik", + "file.path": "/tmp/.font-unix/.cinik", + "file.size": "0", + "file.type": "regular", + "file.uid": "0", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 28420, "osquery.result.action": "added", @@ -1598,13 +1963,31 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_slapper_installed", "osquery.result.unix_time": "1515431189", + "rule.name": "pack_ossec-rootkit_slapper_installed", "service.type": "osquery" }, { "@timestamp": "2018-01-08T17:19:48.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.accessed": "2018-01-08T17:19:03.000Z", + "file.created": "2018-01-08T17:19:03.000Z", + "file.directory": "/usr/bin", + "file.gid": "0", + "file.inode": "1919", + "file.mode": "0644", + "file.mtime": "2018-01-08T17:19:03.000Z", + "file.name": "adore", + "file.path": "/usr/bin/adore", + "file.size": "0", + "file.type": "regular", + "file.uid": "0", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 29019, "osquery.result.action": "added", @@ -1633,6 +2016,7 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_adore_worm", "osquery.result.unix_time": "1515431988", + "rule.name": "pack_ossec-rootkit_adore_worm", "service.type": "osquery" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json index 040e01e6406b..7b7a06ee8462 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json @@ -1,9 +1,14 @@ [ { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 0, "osquery.result.action": "added", @@ -16,13 +21,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "org.python.python.app", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 333, "osquery.result.action": "added", @@ -35,13 +47,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.ruby", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 659, "osquery.result.action": "added", @@ -54,13 +73,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.a2p", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 984, "osquery.result.action": "added", @@ -73,13 +99,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.javajdk16.cmd", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 1319, "osquery.result.action": "added", @@ -92,13 +125,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.php", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 1644, "osquery.result.action": "added", @@ -111,13 +151,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.nc", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 1968, "osquery.result.action": "added", @@ -130,13 +177,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.ksh", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 2293, "osquery.result.action": "added", @@ -151,13 +205,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "httpd", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 2649, "osquery.result.action": "added", @@ -172,13 +233,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "cupsd", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 3000, "osquery.result.action": "added", @@ -193,13 +261,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "AEServer", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 3358, "osquery.result.action": "added", @@ -214,13 +289,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "ftpd", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 3703, "osquery.result.action": "added", @@ -235,13 +317,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "AppleFileServer", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 4070, "osquery.result.action": "added", @@ -256,13 +345,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "sshd-keygen-wrapper", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 4438, "osquery.result.action": "added", @@ -277,13 +373,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "smbd", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 4786, "osquery.result.action": "added", @@ -298,13 +401,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "AppleVNCServer", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 5151, "osquery.result.action": "added", @@ -319,13 +429,25 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "ODSAgent", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "webextension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 5498, "osquery.result.action": "added", @@ -359,13 +481,25 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", - "service.type": "osquery" + "rule.name": "pack_it-compliance_firefox_addons", + "service.type": "osquery", + "url.full": "https://addons.cdn.mozilla.net/user-media/addons/8542/lastpass_password_manager-4.2.3.20-an+fx.xpi?filehash=sha256%3Acb837b4d738d51fac1d4361b7ac50cac1fc2828c2848057f10f88220aff77380" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 6464, "osquery.result.action": "added", @@ -399,13 +533,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 7269, "osquery.result.action": "added", @@ -439,13 +584,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 8065, "osquery.result.action": "added", @@ -479,13 +635,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 8855, "osquery.result.action": "added", @@ -519,13 +686,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 9609, "osquery.result.action": "added", @@ -559,13 +737,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 10354, "osquery.result.action": "added", @@ -599,13 +788,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 11165, "osquery.result.action": "added", @@ -639,13 +839,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 11940, "osquery.result.action": "added", @@ -679,13 +890,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 12829, "osquery.result.action": "added", @@ -719,13 +941,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 13596, "osquery.result.action": "added", @@ -759,13 +992,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "theme", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 14348, "osquery.result.action": "added", @@ -799,13 +1043,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 15100, "osquery.result.action": "added", @@ -839,13 +1094,21 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", - "service.type": "osquery" + "rule.name": "pack_it-compliance_firefox_addons", + "service.type": "osquery", + "url.full": "file:///var/folders/rl/ps6sz7995lq3kqz5v9bmwjlh0000gn/T/tmpaddon" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/ansible/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 16011, "osquery.result.action": "added", @@ -860,13 +1123,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/asio/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 16389, "osquery.result.action": "added", @@ -881,13 +1151,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/augeas/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 16760, "osquery.result.action": "added", @@ -902,13 +1179,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/awscli/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 17132, "osquery.result.action": "added", @@ -923,13 +1207,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/boost/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 17507, "osquery.result.action": "added", @@ -944,13 +1235,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/elasticsearch/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 17878, "osquery.result.action": "added", @@ -965,13 +1263,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/filebeat/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 18264, "osquery.result.action": "added", @@ -986,13 +1291,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/fontconfig/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 18640, "osquery.result.action": "added", @@ -1007,13 +1319,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/freetype/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 19021, "osquery.result.action": "added", @@ -1028,13 +1347,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gd/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 19397, "osquery.result.action": "added", @@ -1049,13 +1375,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gdbm/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 19761, "osquery.result.action": "added", @@ -1070,13 +1403,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gettext/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 20128, "osquery.result.action": "added", @@ -1091,13 +1431,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gflags/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 20505, "osquery.result.action": "added", @@ -1112,13 +1459,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/git-crypt/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 20877, "osquery.result.action": "added", @@ -1133,13 +1487,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/glog/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 21255, "osquery.result.action": "added", @@ -1154,13 +1515,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/go/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 21625, "osquery.result.action": "added", @@ -1175,13 +1543,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/go@1.8/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 21989, "osquery.result.action": "added", @@ -1196,13 +1571,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gradle/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 22361, "osquery.result.action": "added", @@ -1217,13 +1599,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/graphviz/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 22731, "osquery.result.action": "added", @@ -1238,13 +1627,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/heartbeat/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 23108, "osquery.result.action": "added", @@ -1259,13 +1655,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/heartbeat/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 23486, "osquery.result.action": "added", @@ -1280,13 +1683,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/icu4c/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 23864, "osquery.result.action": "added", @@ -1301,13 +1711,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/jemalloc/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 24235, "osquery.result.action": "added", @@ -1322,13 +1739,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/jpeg/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 24611, "osquery.result.action": "added", @@ -1343,13 +1767,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/jq/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 24976, "osquery.result.action": "added", @@ -1364,13 +1795,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libarchive/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 25340, "osquery.result.action": "added", @@ -1385,13 +1823,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libevent/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 25720, "osquery.result.action": "added", @@ -1406,13 +1851,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libmagic/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 26096, "osquery.result.action": "added", @@ -1427,13 +1879,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libpng/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 26471, "osquery.result.action": "added", @@ -1448,13 +1907,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/librdkafka/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 26844, "osquery.result.action": "added", @@ -1469,13 +1935,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libtermkey/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 27225, "osquery.result.action": "added", @@ -1490,13 +1963,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libtiff/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 27604, "osquery.result.action": "added", @@ -1511,13 +1991,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libtool/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 27980, "osquery.result.action": "added", @@ -1532,13 +2019,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libuv/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 28356, "osquery.result.action": "added", @@ -1553,13 +2047,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libvterm/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 28727, "osquery.result.action": "added", @@ -1574,13 +2075,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libyaml/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 29101, "osquery.result.action": "added", @@ -1595,13 +2103,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/lldpd/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 29475, "osquery.result.action": "added", @@ -1616,13 +2131,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/lz4/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 29845, "osquery.result.action": "added", @@ -1637,13 +2159,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/lzlib/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 30211, "osquery.result.action": "added", @@ -1658,13 +2187,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/metricbeat/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 30579, "osquery.result.action": "added", @@ -1679,13 +2215,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/msgpack/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 30959, "osquery.result.action": "added", @@ -1700,13 +2243,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/neovim/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 31333, "osquery.result.action": "added", @@ -1721,13 +2271,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/nginx/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 31707, "osquery.result.action": "added", @@ -1742,13 +2299,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/node/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 32078, "osquery.result.action": "added", @@ -1763,13 +2327,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/nvm/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 32446, "osquery.result.action": "added", @@ -1784,13 +2355,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/oniguruma/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 32813, "osquery.result.action": "added", @@ -1805,13 +2383,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/openssl/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 33191, "osquery.result.action": "added", @@ -1826,13 +2411,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/openssl/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 33566, "osquery.result.action": "added", @@ -1847,13 +2439,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/openssl@1.1/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 33941, "osquery.result.action": "added", @@ -1868,13 +2467,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/osquery/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 34324, "osquery.result.action": "added", @@ -1889,13 +2495,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/pcre/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 34699, "osquery.result.action": "added", @@ -1910,13 +2523,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/perl/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 35066, "osquery.result.action": "added", @@ -1931,13 +2551,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/python/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 35435, "osquery.result.action": "added", @@ -1952,13 +2579,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/rapidjson/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 35810, "osquery.result.action": "added", @@ -1973,13 +2607,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/readline/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 36188, "osquery.result.action": "added", @@ -1994,13 +2635,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/redis/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 36566, "osquery.result.action": "added", @@ -2015,13 +2663,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/rocksdb/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 36936, "osquery.result.action": "added", @@ -2036,13 +2691,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/ruby/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 37310, "osquery.result.action": "added", @@ -2057,13 +2719,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/sleuthkit/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 37680, "osquery.result.action": "added", @@ -2078,13 +2747,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/snappy/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 38058, "osquery.result.action": "added", @@ -2099,13 +2775,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/sqlite/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 38430, "osquery.result.action": "added", @@ -2120,13 +2803,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/telnet/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 38803, "osquery.result.action": "added", @@ -2141,13 +2831,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/the_silver_searcher/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 39177, "osquery.result.action": "added", @@ -2162,13 +2859,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/tree/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 39575, "osquery.result.action": "added", @@ -2183,13 +2887,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/unibilium/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 39943, "osquery.result.action": "added", @@ -2204,13 +2915,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/vim/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 40321, "osquery.result.action": "added", @@ -2225,13 +2943,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/webp/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 40690, "osquery.result.action": "added", @@ -2246,13 +2971,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/xz/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 41060, "osquery.result.action": "added", @@ -2267,13 +2999,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/yara/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 41424, "osquery.result.action": "added", @@ -2288,13 +3027,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/zsh/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 41792, "osquery.result.action": "added", @@ -2309,13 +3055,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/zstd/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 42158, "osquery.result.action": "added", @@ -2330,6 +3083,7 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json index ae42a05155c2..5e98a6bc7c0a 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json @@ -1,9 +1,14 @@ [ { "@timestamp": "2017-12-07T12:21:20.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 0, "osquery.result.action": "added", @@ -21,13 +26,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "system_info", "osquery.result.unix_time": "1512649280", + "rule.name": "system_info", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "73728", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 443, "osquery.result.action": "added", @@ -44,13 +56,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 822, "osquery.result.action": "added", @@ -67,13 +86,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "974848", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1203, "osquery.result.action": "added", @@ -90,13 +116,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1583, "osquery.result.action": "added", @@ -113,13 +146,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "40960", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1965, "osquery.result.action": "added", @@ -136,13 +176,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 2346, "osquery.result.action": "added", @@ -159,13 +206,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 2727, "osquery.result.action": "added", @@ -182,13 +236,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3113, "osquery.result.action": "added", @@ -205,13 +266,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "286720", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3498, "osquery.result.action": "added", @@ -228,13 +296,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "32768", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3889, "osquery.result.action": "added", @@ -251,13 +326,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "40960", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 4275, "osquery.result.action": "added", @@ -274,13 +356,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 4656, "osquery.result.action": "added", @@ -297,13 +386,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5054, "osquery.result.action": "added", @@ -320,13 +416,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5437, "osquery.result.action": "added", @@ -343,13 +446,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "45056", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5826, "osquery.result.action": "added", @@ -366,13 +476,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "45056", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6213, "osquery.result.action": "added", @@ -389,13 +506,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "36864", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6600, "osquery.result.action": "added", @@ -412,13 +536,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6993, "osquery.result.action": "added", @@ -435,13 +566,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "106496", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 7385, "osquery.result.action": "added", @@ -458,13 +596,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 7808, "osquery.result.action": "added", @@ -481,13 +626,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8205, "osquery.result.action": "added", @@ -504,13 +656,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "24576", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8590, "osquery.result.action": "added", @@ -527,13 +686,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "53248", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8986, "osquery.result.action": "added", @@ -550,13 +716,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "98304", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 9399, "osquery.result.action": "added", @@ -573,13 +746,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "40960", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 9820, "osquery.result.action": "added", @@ -596,13 +776,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "991232", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10203, "osquery.result.action": "added", @@ -619,13 +806,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10585, "osquery.result.action": "added", @@ -642,13 +836,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "110592", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10967, "osquery.result.action": "added", @@ -665,13 +866,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 11351, "osquery.result.action": "added", @@ -688,13 +896,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 11750, "osquery.result.action": "added", @@ -711,13 +926,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12162, "osquery.result.action": "added", @@ -734,13 +956,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12570, "osquery.result.action": "added", @@ -757,13 +986,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12988, "osquery.result.action": "added", @@ -780,13 +1016,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "24576", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 13428, "osquery.result.action": "added", @@ -803,13 +1046,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "102400", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 13821, "osquery.result.action": "added", @@ -826,13 +1076,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 14245, "osquery.result.action": "added", @@ -849,13 +1106,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "36864", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 14640, "osquery.result.action": "added", @@ -872,13 +1136,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15021, "osquery.result.action": "added", @@ -895,13 +1166,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15402, "osquery.result.action": "added", @@ -918,13 +1196,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15787, "osquery.result.action": "added", @@ -941,13 +1226,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16169, "osquery.result.action": "added", @@ -964,13 +1256,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16561, "osquery.result.action": "added", @@ -987,13 +1286,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16949, "osquery.result.action": "added", @@ -1010,13 +1316,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "167936", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 17344, "osquery.result.action": "added", @@ -1033,13 +1346,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 17732, "osquery.result.action": "added", @@ -1056,13 +1376,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18128, "osquery.result.action": "added", @@ -1079,13 +1406,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18517, "osquery.result.action": "added", @@ -1102,13 +1436,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18903, "osquery.result.action": "added", @@ -1125,13 +1466,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 19300, "osquery.result.action": "added", @@ -1148,13 +1496,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "24576", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 19697, "osquery.result.action": "added", @@ -1171,13 +1526,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "32768", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20079, "osquery.result.action": "added", @@ -1194,13 +1556,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "40960", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20478, "osquery.result.action": "added", @@ -1217,13 +1586,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20867, "osquery.result.action": "added", @@ -1240,13 +1616,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "131072", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 21291, "osquery.result.action": "added", @@ -1263,13 +1646,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "102400", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 21675, "osquery.result.action": "added", @@ -1286,13 +1676,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "135168", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22073, "osquery.result.action": "added", @@ -1309,13 +1706,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22455, "osquery.result.action": "added", @@ -1333,13 +1738,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22826, "osquery.result.action": "added", @@ -1357,13 +1770,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 23234, "osquery.result.action": "added", @@ -1381,13 +1802,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 23627, "osquery.result.action": "added", @@ -1405,13 +1834,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24000, "osquery.result.action": "added", @@ -1429,13 +1866,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24373, "osquery.result.action": "added", @@ -1453,13 +1898,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24746, "osquery.result.action": "added", @@ -1477,13 +1930,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25119, "osquery.result.action": "added", @@ -1501,13 +1962,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25492, "osquery.result.action": "added", @@ -1525,13 +1994,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25865, "osquery.result.action": "added", @@ -1549,13 +2026,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 26238, "osquery.result.action": "added", @@ -1573,13 +2058,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 26611, "osquery.result.action": "added", @@ -1600,13 +2091,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_os_version", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 27065, "osquery.result.action": "added", @@ -1643,13 +2140,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_osquery_info", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 27975, "osquery.result.action": "added", @@ -1667,13 +2172,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 28346, "osquery.result.action": "added", @@ -1691,13 +2204,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 28754, "osquery.result.action": "added", @@ -1715,13 +2236,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 29147, "osquery.result.action": "added", @@ -1739,13 +2268,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 29520, "osquery.result.action": "added", @@ -1763,13 +2300,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 29893, "osquery.result.action": "added", @@ -1787,13 +2332,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 30266, "osquery.result.action": "added", @@ -1811,13 +2364,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 30639, "osquery.result.action": "added", @@ -1835,13 +2396,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 31012, "osquery.result.action": "added", @@ -1859,13 +2428,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 31385, "osquery.result.action": "added", @@ -1883,13 +2460,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 31758, "osquery.result.action": "added", @@ -1907,13 +2492,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 32131, "osquery.result.action": "added", @@ -1934,13 +2525,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_os_version", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 32585, "osquery.result.action": "added", @@ -1977,13 +2574,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_osquery_info", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys", + "file.type": "sysfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 33499, "osquery.result.action": "added", @@ -2006,13 +2611,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/proc", + "file.type": "proc", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 33999, "osquery.result.action": "added", @@ -2035,13 +2648,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/dev", + "file.type": "devtmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 34499, "osquery.result.action": "added", @@ -2064,13 +2685,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/dev/pts", + "file.type": "devpts", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 35051, "osquery.result.action": "added", @@ -2093,13 +2722,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/run", + "file.type": "tmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 35581, "osquery.result.action": "added", @@ -2122,13 +2759,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/", + "file.type": "ext4", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 36119, "osquery.result.action": "added", @@ -2151,13 +2796,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/kernel/security", + "file.type": "securityfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 36650, "osquery.result.action": "added", @@ -2180,13 +2833,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/dev/shm", + "file.type": "tmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 37183, "osquery.result.action": "added", @@ -2209,13 +2870,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/run/lock", + "file.type": "tmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 37697, "osquery.result.action": "added", @@ -2238,13 +2907,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup", + "file.type": "tmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 38233, "osquery.result.action": "added", @@ -2267,13 +2944,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/systemd", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 38770, "osquery.result.action": "added", @@ -2296,13 +2981,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/pstore", + "file.type": "pstore", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 39365, "osquery.result.action": "added", @@ -2325,13 +3018,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/cpu,cpuacct", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 39880, "osquery.result.action": "added", @@ -2354,13 +3055,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/perf_event", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 40420, "osquery.result.action": "added", @@ -2383,13 +3092,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/pids", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 40958, "osquery.result.action": "added", @@ -2412,13 +3129,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/cpuset", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 41484, "osquery.result.action": "added", @@ -2441,13 +3166,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/blkio", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 42014, "osquery.result.action": "added", @@ -2470,6 +3203,7 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json index f529f0d18ce9..1051a6d64a8b 100644 --- a/filebeat/module/osquery/result/test/test.log-expected.json +++ b/filebeat/module/osquery/result/test/test.log-expected.json @@ -1,9 +1,16 @@ [ { "@timestamp": "2017-12-28T14:40:08.000Z", + "event.action": "removed", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/private/var/vm", + "file.type": "apfs", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 0, "osquery.result.action": "removed", @@ -26,6 +33,7 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1514472008", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" } ] \ No newline at end of file From ace775acc5e49d1e1cf4f92bc97f7c74b215eb6d Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Tue, 5 May 2020 13:32:02 -0500 Subject: [PATCH 2/2] Update golden files --- .../test/osquery.rootkit.log-expected.json | 360 +++++++++-- .../osqueryd.results.darwin.log-expected.json | 600 +++++++++++++++--- .../osqueryd.results.sample.log-expected.json | 600 +++++++++++++++--- .../result/test/test.log-expected.json | 6 +- 4 files changed, 1305 insertions(+), 261 deletions(-) diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json index 5e03b82457b1..bedd286615d9 100644 --- a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json +++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json @@ -29,8 +29,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -62,8 +66,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -95,8 +103,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -128,8 +140,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -161,8 +177,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -194,8 +214,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -227,8 +251,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -260,8 +288,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -293,8 +325,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -326,8 +362,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -359,8 +399,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -392,8 +436,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -425,8 +473,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -458,8 +510,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -491,8 +547,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -524,8 +584,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -557,8 +621,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -590,8 +658,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -623,8 +695,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -656,8 +732,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -689,8 +769,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -722,8 +806,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -755,8 +843,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -788,8 +880,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -821,8 +917,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -854,8 +954,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -887,8 +991,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -920,8 +1028,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -953,8 +1065,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -986,8 +1102,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1019,8 +1139,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1052,8 +1176,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1085,8 +1213,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1118,8 +1250,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1151,8 +1287,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1184,8 +1324,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1217,8 +1361,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1250,8 +1398,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1283,8 +1435,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1316,8 +1472,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1349,8 +1509,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1382,8 +1546,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1415,8 +1583,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1448,8 +1620,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1481,8 +1657,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1514,8 +1694,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1547,8 +1731,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1580,8 +1768,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1613,8 +1805,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1646,8 +1842,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1679,8 +1879,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1712,8 +1916,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1745,8 +1953,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1778,8 +1990,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1811,8 +2027,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1844,8 +2064,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1877,8 +2101,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1910,8 +2138,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T17:06:29.000Z", @@ -1963,8 +2195,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_slapper_installed", "osquery.result.unix_time": "1515431189", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_ossec-rootkit_slapper_installed", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T17:19:48.000Z", @@ -2016,7 +2252,11 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_adore_worm", "osquery.result.unix_time": "1515431988", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_ossec-rootkit_adore_worm", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json index 7b7a06ee8462..9a892288d5ff 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json @@ -22,8 +22,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "org.python.python.app", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -48,8 +52,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ruby", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -74,8 +82,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.a2p", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -100,8 +112,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.javajdk16.cmd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -126,8 +142,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.php", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -152,8 +172,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.nc", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -178,8 +202,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ksh", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -206,8 +234,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "httpd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -234,8 +266,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "cupsd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -262,8 +298,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AEServer", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -290,8 +330,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ftpd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -318,8 +362,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleFileServer", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -346,8 +394,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "sshd-keygen-wrapper", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -374,8 +426,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "smbd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -402,8 +458,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleVNCServer", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -430,8 +490,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ODSAgent", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -481,9 +545,13 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery", - "url.full": "https://addons.cdn.mozilla.net/user-media/addons/8542/lastpass_password_manager-4.2.3.20-an+fx.xpi?filehash=sha256%3Acb837b4d738d51fac1d4361b7ac50cac1fc2828c2848057f10f88220aff77380" + "url.full": "https://addons.cdn.mozilla.net/user-media/addons/8542/lastpass_password_manager-4.2.3.20-an+fx.xpi?filehash=sha256%3Acb837b4d738d51fac1d4361b7ac50cac1fc2828c2848057f10f88220aff77380", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -533,8 +601,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -584,8 +656,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -635,8 +711,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -686,8 +766,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -737,8 +821,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -788,8 +876,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -839,8 +931,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -890,8 +986,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -941,8 +1041,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -992,8 +1096,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1043,8 +1151,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1094,9 +1206,13 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery", - "url.full": "file:///var/folders/rl/ps6sz7995lq3kqz5v9bmwjlh0000gn/T/tmpaddon" + "url.full": "file:///var/folders/rl/ps6sz7995lq3kqz5v9bmwjlh0000gn/T/tmpaddon", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1123,8 +1239,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1151,8 +1271,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1179,8 +1303,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1207,8 +1335,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1235,8 +1367,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1263,8 +1399,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1291,8 +1431,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1319,8 +1463,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1347,8 +1495,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1375,8 +1527,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1403,8 +1559,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1431,8 +1591,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1459,8 +1623,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1487,8 +1655,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1515,8 +1687,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1543,8 +1719,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1571,8 +1751,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1599,8 +1783,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1627,8 +1815,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1655,8 +1847,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1683,8 +1879,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1711,8 +1911,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1739,8 +1943,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1767,8 +1975,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1795,8 +2007,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1823,8 +2039,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1851,8 +2071,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1879,8 +2103,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1907,8 +2135,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1935,8 +2167,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1963,8 +2199,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1991,8 +2231,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2019,8 +2263,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2047,8 +2295,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2075,8 +2327,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2103,8 +2359,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2131,8 +2391,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2159,8 +2423,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2187,8 +2455,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2215,8 +2487,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2243,8 +2519,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2271,8 +2551,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2299,8 +2583,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2327,8 +2615,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2355,8 +2647,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2383,8 +2679,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2411,8 +2711,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2439,8 +2743,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2467,8 +2775,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2495,8 +2807,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2523,8 +2839,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2551,8 +2871,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2579,8 +2903,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2607,8 +2935,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2635,8 +2967,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2663,8 +2999,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2691,8 +3031,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2719,8 +3063,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2747,8 +3095,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2775,8 +3127,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2803,8 +3159,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2831,8 +3191,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2859,8 +3223,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2887,8 +3255,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2915,8 +3287,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2943,8 +3319,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2971,8 +3351,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2999,8 +3383,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -3027,8 +3415,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -3055,8 +3447,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -3083,7 +3479,11 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json index 5e98a6bc7c0a..30f8ae2259bf 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json @@ -26,8 +26,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "system_info", "osquery.result.unix_time": "1512649280", + "related.user": [ + "ubuntu" + ], "rule.name": "system_info", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -56,8 +60,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -86,8 +94,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -116,8 +128,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -146,8 +162,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -176,8 +196,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -206,8 +230,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -236,8 +264,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -266,8 +298,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -296,8 +332,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -326,8 +366,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -356,8 +400,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -386,8 +434,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -416,8 +468,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -446,8 +502,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -476,8 +536,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -506,8 +570,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -536,8 +604,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -566,8 +638,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -596,8 +672,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -626,8 +706,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -656,8 +740,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -686,8 +774,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -716,8 +808,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -746,8 +842,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -776,8 +876,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -806,8 +910,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -836,8 +944,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -866,8 +978,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -896,8 +1012,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -926,8 +1046,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -956,8 +1080,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -986,8 +1114,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1016,8 +1148,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1046,8 +1182,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1076,8 +1216,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1106,8 +1250,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1136,8 +1284,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1166,8 +1318,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1196,8 +1352,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1226,8 +1386,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1256,8 +1420,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1286,8 +1454,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1316,8 +1488,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1346,8 +1522,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1376,8 +1556,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1406,8 +1590,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1436,8 +1624,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1466,8 +1658,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1496,8 +1692,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1526,8 +1726,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1556,8 +1760,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1586,8 +1794,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1616,8 +1828,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1646,8 +1862,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1676,8 +1896,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1706,8 +1930,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1738,8 +1966,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1770,8 +2002,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1802,8 +2038,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1834,8 +2074,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1866,8 +2110,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1898,8 +2146,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1930,8 +2182,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1962,8 +2218,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1994,8 +2254,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -2026,8 +2290,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -2058,8 +2326,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -2091,8 +2363,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_os_version", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -2140,8 +2416,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_osquery_info", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2172,8 +2452,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2204,8 +2488,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2236,8 +2524,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2268,8 +2560,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2300,8 +2596,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2332,8 +2632,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2364,8 +2668,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2396,8 +2704,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2428,8 +2740,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2460,8 +2776,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2492,8 +2812,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2525,8 +2849,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_os_version", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2574,8 +2902,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_osquery_info", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2611,8 +2943,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2648,8 +2984,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2685,8 +3025,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2722,8 +3066,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2759,8 +3107,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2796,8 +3148,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2833,8 +3189,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2870,8 +3230,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2907,8 +3271,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2944,8 +3312,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2981,8 +3353,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3018,8 +3394,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3055,8 +3435,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3092,8 +3476,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3129,8 +3517,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3166,8 +3558,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3203,7 +3599,11 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json index 1051a6d64a8b..37a56ff8f13b 100644 --- a/filebeat/module/osquery/result/test/test.log-expected.json +++ b/filebeat/module/osquery/result/test/test.log-expected.json @@ -33,7 +33,11 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1514472008", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" } ] \ No newline at end of file