diff --git a/packages/xm_cyber/_dev/build/docs/README.md b/packages/xm_cyber/_dev/build/docs/README.md index 01592294471..1f94135d63d 100644 --- a/packages/xm_cyber/_dev/build/docs/README.md +++ b/packages/xm_cyber/_dev/build/docs/README.md @@ -8,7 +8,7 @@ This integration collects data from the XM Cyber REST API using scheduled pollin ### Compatibility -The XM Cyber integration is compatible with the API version **1.0.0**. +The XM Cyber integration is compatible with the API version **v2**. ### How it works @@ -26,12 +26,14 @@ The XM Cyber integration collects the following types of data: |---|---|---| | `audit_trail` | Audit Records | `/api/audit-trail/auditRecords` | | `vulnerability` | CVE records from XM Cyber's Vulnerability Risk Management (VRM) feed, including CVSS v2/v3/v4 scores, EPSS metrics, CISA KEV / in-the-wild exploitation flags, and per-CVE counts of devices, products, and critical assets at risk | `/api/v2/vrm/public/vulnerabilities` | +| `entity_inventory` | Inventory of entities (devices, identities, and cloud resources) tracked by XM Cyber, enriched with OS, network, agent, and cloud-account metadata. | `/api/entityInventory/entities` | ### Supported use cases - **Audit and compliance monitoring**: Track administrative and user activity within your XM Cyber tenant — including console logins, sensor scan results, and configuration changes — and correlate it with the rest of your security telemetry to support compliance reviews and incident investigations. - **Risk-based vulnerability prioritization**: Rank CVEs by CVSS impact, EPSS exploit probability, and CISA KEV / in-the-wild exploitation flags to focus remediation effort where it actually reduces business risk. - **Attack-path-aware exposure analysis**: Correlate detected CVEs with XM Cyber's attack-technique simulations to identify which vulnerabilities act as choke points or stepping stones to crown-jewel assets. +- **Asset and exposure visibility**: Maintain a unified inventory of the devices, identities, and cloud resources XM Cyber discovers across hybrid environments — with OS, network, agent, and cloud-account context — to support asset management, attack-surface monitoring, and prioritization of critical assets. ## What do I need to use this integration? @@ -128,6 +130,18 @@ For help with Elastic ingest tools, check [Common problems](https://www.elastic. {{event "vulnerability"}} +### Entity Inventory + +#### Entity Inventory fields + +{{fields "entity_inventory"}} + +### Example event + +#### Entity Inventory + +{{event "entity_inventory"}} + ### Inputs used {{ inputDocs }} @@ -142,7 +156,8 @@ These XM Cyber REST API endpoints are used by this integration: | `/api/refresh-token` | POST | all | Refresh an expired access token | | `/api/audit-trail/auditRecords` | GET | `audit_trail` | Audit Records | | `/api/v2/vrm/public/vulnerabilities` | GET | `vulnerabilities` | Paginated exposure rows (attack techniques / CVE context) | +| `/api/entityInventory/entities` | GET | `entity_inventory` | List entities (devices, identities, cloud resources) tracked by XM Cyber | ### ILM Policy -To facilitate vulnerability data stream-backed indices `.ds-logs-xm_cyber.vulnerability-*` is allowed to contain duplicates from each polling interval. ILM policies `logs-xm_cyber.vulnerability-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date. \ No newline at end of file +To facilitate vulnerability data stream-backed indices `.ds-logs-xm_cyber.vulnerability-*` is allowed to contain duplicates from each polling interval. ILM policies `logs-xm_cyber.vulnerability-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date. diff --git a/packages/xm_cyber/_dev/deploy/docker/files/config.yml b/packages/xm_cyber/_dev/deploy/docker/files/config.yml index 445eb9620c5..6f5ce1dcc31 100644 --- a/packages/xm_cyber/_dev/deploy/docker/files/config.yml +++ b/packages/xm_cyber/_dev/deploy/docker/files/config.yml @@ -142,7 +142,6 @@ rules: "metadata": {} } `}} - - path: /api/v2/vrm/public/vulnerabilities methods: ['GET'] query_params: @@ -226,3 +225,219 @@ rules: } } `}} + # Page 2 — fetched via nextLink cursor=page2 + - path: /api/entityInventory/entities + methods: ['GET'] + query_params: + cursor: 'page2' + request_headers: + Authorization: "Bearer mock-access-token-abc123" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "id": "awsSsmParameter-arn:aws:ssm:us-east-2:702947630755:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "accountId": "702947630755", + "arn": "arn:aws:ssm:us-east-2:702947630755:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "customProperties": { + "domainWorkgroup": { + "type": "domain", + "data": "AWS/702947630755" + }, + "ouComputer": "AWS/702947630755/us-east-2/SSM/ParameterMetadata", + "ouUser": "AWS/702947630755/SSM/ParameterMetadata", + "subnetInfo": "AWS_702947630755_us-east-2" + }, + "disabled": false, + "displayName": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "entityType": "AwsSsmParameterEntity", + "name": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "notIncludedInAttacks": false, + "region": "us-east-2", + "ruleDisplayName": "702947630755 / /EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "ssmParameterDataType": "text", + "ssmParameterDescription": "New local Administrator password for instance i-0d056ac1b7c822c92", + "ssmParameterKeyId": "alias/aws/ssm", + "ssmParameterLastModifiedDate": "2021-07-28T08:11:54.200Z", + "ssmParameterLastModifiedUser": "arn:aws:sts::702947630755:assumed-role/AmazonSSMRoleForInstancesQuickSetup/i-0d056ac1b7c822c92", + "ssmParameterName": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "ssmParameterTier": "Standard", + "ssmParameterType": "SecureString", + "ssmParameterVersion": 1, + "status": "active", + "type": "awsSsmParameter", + "typeDisplayName": "AWS SSM Parameter", + "useType": "Storage", + "xmProviderAccount": "xm-test3", + "xmUpdateTime": "2026-05-05T21:05:15.079Z", + "accountName": "xm-test3", + "organizationId": "o-wvjziar78j", + "category": "Cloud", + "entityDetails": { + "name": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "id": "awsSsmParameter-arn:aws:ssm:us-east-2:702947630755:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "isAsset": null, + "subType": "awsSsmParameter", + "subTypeDisplayName": "AWS SSM Parameter" + } + } + ], + "paging": { + "page": 1, + "pageSize": 2, + "total": 3, + "totalPages": 2, + "nextLink": null + }, + "metadata": {} + } + `}} + # Page 1 — initial full fetch (cursor absent so it does not match Page 2 requests) + - path: /api/entityInventory/entities + methods: ['GET'] + query_params: + pageSize: '2' + cursor: null + request_headers: + Authorization: "Bearer mock-access-token-abc123" + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "id": "awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "accountId": "702947630755", + "arn": "arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "customProperties": { + "domainWorkgroup": { + "type": "domain", + "data": "AWS/702947630755" + }, + "ouComputer": "AWS/702947630755/us-east-1/SSM/ParameterMetadata", + "ouUser": "AWS/702947630755/SSM/ParameterMetadata", + "subnetInfo": "AWS_702947630755_us-east-1" + }, + "disabled": false, + "displayName": "/CodeBuild/accessKeys", + "entityType": "AwsSsmParameterEntity", + "name": "/CodeBuild/accessKeys", + "notIncludedInAttacks": false, + "region": "us-east-1", + "ruleDisplayName": "702947630755 / /CodeBuild/accessKeys", + "ssmParameterDataType": "text", + "ssmParameterKeyId": "alias/aws/ssm", + "ssmParameterLastModifiedDate": "2020-07-19T09:53:58.629Z", + "ssmParameterLastModifiedUser": "arn:aws:sts::702947630755:assumed-role/AWSReservedSSO_AdministratorAccess_4b70f7a69b186776/zur@xmcyber.com", + "ssmParameterName": "/CodeBuild/accessKeys", + "ssmParameterTier": "Standard", + "ssmParameterType": "SecureString", + "ssmParameterVersion": 1, + "status": "active", + "type": "awsSsmParameter", + "typeDisplayName": "AWS SSM Parameter", + "useType": "Storage", + "xmProviderAccount": "xm-test3", + "xmUpdateTime": "2026-05-05T21:05:15.079Z", + "accountName": "xm-test3", + "organizationId": "o-wvjziar78j", + "category": "Cloud", + "entityDetails": { + "name": "/CodeBuild/accessKeys", + "id": "awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "isAsset": null, + "subType": "awsSsmParameter", + "subTypeDisplayName": "AWS SSM Parameter" + } + }, + { + "id": "awsSecret-/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials", + "useType": "Storage", + "entityType": "AwsSecretEntity", + "accountId": "908522078858", + "accountName": "aws-908522078858", + "organizationId": "o-wvjziar78j", + "arn": "arn:aws:secretsmanager:us-east-1:908522078858:secret:/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials-4BkOB0", + "xmUpdateTime": "2026-05-05T21:05:15.079Z", + "customProperties": { + "domainWorkgroup": { + "type": "domain", + "data": "AWS/908522078858" + }, + "ouComputer": "AWS/908522078858/us-east-1/SecretsManager/SecretListEntry", + "ouUser": "AWS/908522078858/SecretsManager/SecretListEntry", + "subnetInfo": "AWS_908522078858_us-east-1" + }, + "region": "us-east-1", + "awsTags": [ + { + "Key": "aws:cloudformation:stack-id", + "Value": "arn:aws:cloudformation:us-east-1:908522078858:stack/StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487/3493fc10-2bf9-11f0-a92a-0affd5d0d7df" + }, + { + "Key": "aws:cloudformation:stack-name", + "Value": "StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487" + }, + { + "Key": "aws:cloudformation:logical-id", + "Value": "CrowdStrikeSensorManagementFalconCredentialsSecret" + } + ], + "ruleDisplayName": "908522078858 / /CrowdStrike/CSPM/SensorManagement/FalconAPICredentials", + "secretDescription": "Falcon API credentials used by the 1-Click sensor management orchestrator.", + "status": "active", + "type": "awsSecret", + "displayName": "/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials", + "name": "/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials", + "disabled": false, + "notIncludedInAttacks": false, + "typeDisplayName": "AWS Secret", + "labels": [ + { + "id": "aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:908522078858:stack/StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487/3493fc10-2bf9-11f0-a92a-0affd5d0d7df", + "type": "cloud" + }, + { + "id": "aws:cloudformation:stack-name: StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487", + "type": "cloud" + }, + { + "id": "aws:cloudformation:logical-id: CrowdStrikeSensorManagementFalconCredentialsSecret", + "type": "cloud" + } + ], + "tagsStr": [ + "aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:908522078858:stack/StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487/3493fc10-2bf9-11f0-a92a-0affd5d0d7df", + "aws:cloudformation:stack-name: StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487", + "aws:cloudformation:logical-id: CrowdStrikeSensorManagementFalconCredentialsSecret" + ], + "category": "Cloud", + "entityDetails": { + "name": "/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials", + "id": "awsSecret-/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials", + "isAsset": null, + "subType": "awsSecret", + "subTypeDisplayName": "AWS Secret" + } + } + ], + "paging": { + "page": 0, + "pageSize": 2, + "total": 3, + "totalPages": 2, + "nextLink": "/api/entityInventory/entities?cursor=page2" + }, + "metadata": {} + } + `}} diff --git a/packages/xm_cyber/changelog.yml b/packages/xm_cyber/changelog.yml index 4cd49ba6e74..0e070ead5cf 100644 --- a/packages/xm_cyber/changelog.yml +++ b/packages/xm_cyber/changelog.yml @@ -1,6 +1,9 @@ # newer versions go on top - version: 0.1.0 changes: + - description: Add support for entity inventory data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/19550 - description: Add support for audit trail data stream. type: enhancement link: https://github.com/elastic/integrations/pull/18823 diff --git a/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-common-config.yml b/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-entity-inventory.log b/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-entity-inventory.log new file mode 100644 index 00000000000..dd85238d500 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-entity-inventory.log @@ -0,0 +1,3 @@ +{"id":"11405078888731052442","accessKeyCreationDate":"Unknown","podIP":"","ec2PublicIpAddress":"","agentVersion":{"major":1,"minor":55,"patch":2},"agentVersionStr":"1.55.2","arch":"Amd64","cmId":"0000","connectionCounter":160,"customProperties":{"snifferStatus":"Active","snifferStatusChangeable":true,"domainWorkgroup":{"type":"workgroup","data":"workgroup"},"ouComputer":"workgroup","subnetInfo":"172.0.0.0/24","macAddresses":["00:50:56:3D:0A:93"],"ouUser":"workgroup","labels":[{"label":"spooler"},{"label":"device_without_edr"}],"snifferStatusConfiguration":"ForcedEnabled","custom_labels":[{"label":"testLabel"},{"label":"sn : azure Identity : sn"},{"label":"Azure Identity"},{"label":"2test_vmazure virtual machine_azure_test"},{"label":"1azureCRazure Container registry_test"}],"hardwareInfo":{"totalRamMb":"2047","cpuProcessorType":"Intel(R) Xeon(R) Gold 5318Y CPU @ 2.10GHz","cpuCoreCount":1,"cpuCount":1,"cpuManufacturer":"GenuineIntel","cpuSpeedMhz":2095,"systemManufacturer":"VMware, Inc.","systemModel":"VMware Virtual Platform"}},"customerId":"fda93183-19f4-447d-bd49-83633329ee37","disabled":false,"disabledChangedAt":"2025-12-01T05:31:01.103Z","disabledReason":"revivedByCmNodeMgr","firstSeen":"2024-08-07T12:18:26.093Z","hasUpdateAvailable":false, "installationId":"00000000-0000-0000-0000-000000000001","ipv4":[{"data":[192,168,1,203],"type":"Buffer"}],"ipv4Num":[2885681155],"ipv4Str":["192.0.2.0"],"ipv6":[{"data":[253,170,63,62,245,208,0,1,168,44,1,25,76,65,80,190],"type":"Buffer"}],"ipv6Str":["fe80::1c2c:5b3a:97df:13f1"],"lastConnectionTime":"2026-05-03T08:40:06.399Z","lastDisconnectionReason":"Keepalive","lastRebootTime":"2025-05-15T09:33:32.000Z","lastStatusChange":"2026-05-03T08:40:06.399Z","latestPossibleAgentVersion":{"major":1,"minor":55,"patch":2},"latestPossibleAgentVersionStr":"1.55.2","name":"172-0-0-3","nameUppercase":"172-0-0-3","notIncludedInAttacks":false,"os":{"version":{"build":0,"major":10,"minor":0,"patch":18363},"servicePack":{"build":0,"major":0,"minor":0,"patch":0},"distributionName":"","distributionVersion":"","name":"Windows 10 ver 1909"},"osType":"Windows","productType":"Workstation","remoteAddress":"203.0.113.50","securityFlags":["hasSession","hasCachedCredentials"],"status":"active","timeToReviveAt":"2026-05-08T00:00:00Z","type":"agent","typeDisplayName":"Device","hasMatchingSID":false,"lastUpdatedAt":"2026-05-03T09:06:44.280Z","securityFlagsForDisplay":[{"key":"examplekey"}],"southOwner":"south-owner-1","domainName":"workgroup","labels":[{"id":"testLabel","type":"custom"},{"id":"sn : azure Identity : sn","type":"custom"},{"id":"Azure Identity","type":"custom"},{"id":"2test_vmazure virtual machine_azure_test","type":"custom"},{"id":"1azureCRazure Container registry_test","type":"custom"},{"id":"!@$TEST:2))","type":"custom"},{"id":"sn : Access Token : sn","type":"custom"},{"id":"Email Service","type":"custom"},{"id":"shirel-device","type":"custom"},{"id":"felix test","type":"custom"}],"machineId":"ca722442-9a91-849d-0fdd-438e7a0701f1","agentType":"Service","category":"enterprise","xmLabels":[{"id":"Spooler server"},{"id":"Public IP"},{"id":"Device without EDR"}],"importedLabels":["SN Name : 172-0-0-3","SN Created : 2026-04-14 05:15:00"],"entityDetails":{"name":"172-0-0-3","id":"11405078888731052442","isAsset":true,"subType":"windows","subTypeDisplayName":"Device"},"accountId":"123456789012","arn":"arn:aws:ssm:us-east-2:123456789012:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92","displayName":"/EC2Rescue/Passwords/i-0d056ac1b7c822c92","entityType":"agent","region":"us-east-2","ruleDisplayName":"123456789012 / /EC2Rescue/Passwords/i-0d056ac1b7c822c92","ssmParameterDataType":"text","ssmParameterDescription":"New local Administrator password for instance i-0d056ac1b7c822c92","ssmParameterKeyId":"alias/aws/ssm","ssmParameterLastModifiedDate":"2021-07-28T08:11:54.200Z","ssmParameterLastModifiedUser":"arn:aws:sts::123456789012:assumed-role/AmazonSSMRoleForInstancesQuickSetup/i-0d056ac1b7c822c92","ssmParameterName":"/EC2Rescue/Passwords/i-0d056ac1b7c822c92","ssmParameterTier":"Standard","ssmParameterType":"SecureString","ssmParameterVersion":1,"useType":"Storage","xmProviderAccount":"xm-test3","xmUpdateTime":"2026-05-05T21:05:15.079Z","accountName":"xm-test3","organizationId":"o-wvjziar78j","awsTags":[{"Key":"aws:cloudformation:stack-id","Value":"arn:aws:cloudformation:us-east-1:123456789012:stack/StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001/00000000-0000-0000-0000-000000000002"},{"Key":"aws:cloudformation:stack-name","Value":"StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001"},{"Key":"aws:cloudformation:logical-id","Value":"ExampleSensorManagementCredentialsSecret"}],"secretKmsKeyId":"alias/tenant-secret-kms-local","secretDescription":"Example API credentials used by the 1-Click sensor management orchestrator.","tagsStr":["aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:123456789012:stack/StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001/00000000-0000-0000-0000-000000000002","aws:cloudformation:stack-name: StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001","aws:cloudformation:logical-id: ExampleSensorManagementCredentialsSecret"],"kmsKeyAliases":["alias/aws/secretsmanager","alias/example"],"kmsKeyCreationDate":"2024-12-05T15:14:24.368Z","kmsKeyDescription":"","kmsKeyManager":"CUSTOMER","kmsKeyOrigin":"AWS_KMS","kmsKeyState":"Enabled","kmsKeyUsage":"ENCRYPT_DECRYPT"} +{"id":"22516189999842163553","entityType":"AWSUser","type":"user","name":"jane.doe@example.com","category":"cloud","customerId":"fda93183-19f4-447d-bd49-83633329ee37","accessKeyCreationDate":"2024-12-05T15:14:24.368Z","createdDate":"Unknown","lastActivityDate":"2026-04-15T11:22:33.000Z","firstSeen":"Unknown","lastUpdatedAt":"Unknown","xmUpdateTime":"2026-05-20T10:00:00.000Z","passwordHash":"hash_redacted","userAccessKeysCount":2,"isMFAEnabled":true,"ipv4":["10.10.0.1","10.10.0.2"],"ipv4Num":[168427521,168427522],"ipv4Str":["10.10.0.1","10.10.0.2"],"ipv6":["2001:db8::1","2001:db8::2"],"ipv6Str":["2001:db8::1","2001:db8::2"],"cloudProvider":"AWS","accountId":"123456789012","arn":"arn:aws:iam::123456789012:user/jane.doe","region":"us-east-1","entityDetails":{"name":"jane.doe@example.com","id":"22516189999842163553","isAsset":true,"subType":"awsUser","subTypeDisplayName":"AWS User"}} +{"id":"33627290000953274664","entityType":"agent","type":"agent","name":"dev-host-01","nameUppercase":"DEV-HOST-01","category":"enterprise","customerId":"fda93183-19f4-447d-bd49-83633329ee37","firstSeen":"Unknown","lastConnectionTime":"Unknown","lastRebootTime":"Unknown","lastStatusChange":"Unknown","lastUpdatedAt":"Unknown","disabledChangedAt":"Unknown","timeToReviveAt":"Unknown","xmUpdateTime":"Unknown","kmsKeyCreationDate":"Unknown","ssmParameterLastModifiedDate":"Unknown","createdDate":"Unknown","lastActivityDate":"Unknown","ebsVolumeCreateTime":"Unknown","creationTimestamp":"Unknown","accessKeyCreationDate":"Unknown","lastRunningTime":"Unknown","ecrRepositoryCreationDate":"Unknown","dynamoDbTableCreationDateTime":"Unknown","elasticacheCacheClusterCreateTime":"Unknown","sqsQueueLastModifiedDate":"Unknown","createTime":"Unknown","created":"Unknown","lastModified":"Unknown","expireAt":"Unknown","whenCreated":"Unknown","xmMongoUpdateTime":"Unknown","redshiftClusterCreateTime":"Unknown","ipv4":["10.20.0.1",{"data":[10,20,0,2],"type":"Buffer"}],"ipv4Num":[169082881,169082882],"ipv4Str":["10.20.0.1","10.20.0.2"],"ipv6":["2001:db8::a",{"data":[32,1,13,184,0,0,0,0,0,0,0,0,0,0,0,11],"type":"Buffer"}],"ipv6Str":["2001:db8::a","2001:db8::b"],"agentVersion":{"major":1,"minor":50,"patch":0},"agentVersionStr":"1.50.0","machineId":"abcdef12-3456-7890-abcd-ef1234567890","hasMatchingSID":false,"notIncludedInAttacks":false,"osType":"Linux","entityDetails":{"name":"dev-host-01","id":"33627290000953274664","isAsset":true,"subType":"linux","subTypeDisplayName":"Device"}} diff --git a/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-entity-inventory.log-expected.json b/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-entity-inventory.log-expected.json new file mode 100644 index 00000000000..500d00c6e2f --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-entity-inventory.log-expected.json @@ -0,0 +1,542 @@ +{ + "expected": [ + { + "@timestamp": "2026-05-05T21:05:15.079Z", + "cloud": { + "region": "us-east-2" + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "id": "11405078888731052442", + "kind": "asset", + "original": "{\"id\":\"11405078888731052442\",\"accessKeyCreationDate\":\"Unknown\",\"podIP\":\"\",\"ec2PublicIpAddress\":\"\",\"agentVersion\":{\"major\":1,\"minor\":55,\"patch\":2},\"agentVersionStr\":\"1.55.2\",\"arch\":\"Amd64\",\"cmId\":\"0000\",\"connectionCounter\":160,\"customProperties\":{\"snifferStatus\":\"Active\",\"snifferStatusChangeable\":true,\"domainWorkgroup\":{\"type\":\"workgroup\",\"data\":\"workgroup\"},\"ouComputer\":\"workgroup\",\"subnetInfo\":\"172.0.0.0/24\",\"macAddresses\":[\"00:50:56:3D:0A:93\"],\"ouUser\":\"workgroup\",\"labels\":[{\"label\":\"spooler\"},{\"label\":\"device_without_edr\"}],\"snifferStatusConfiguration\":\"ForcedEnabled\",\"custom_labels\":[{\"label\":\"testLabel\"},{\"label\":\"sn : azure Identity : sn\"},{\"label\":\"Azure Identity\"},{\"label\":\"2test_vmazure virtual machine_azure_test\"},{\"label\":\"1azureCRazure Container registry_test\"}],\"hardwareInfo\":{\"totalRamMb\":\"2047\",\"cpuProcessorType\":\"Intel(R) Xeon(R) Gold 5318Y CPU @ 2.10GHz\",\"cpuCoreCount\":1,\"cpuCount\":1,\"cpuManufacturer\":\"GenuineIntel\",\"cpuSpeedMhz\":2095,\"systemManufacturer\":\"VMware, Inc.\",\"systemModel\":\"VMware Virtual Platform\"}},\"customerId\":\"fda93183-19f4-447d-bd49-83633329ee37\",\"disabled\":false,\"disabledChangedAt\":\"2025-12-01T05:31:01.103Z\",\"disabledReason\":\"revivedByCmNodeMgr\",\"firstSeen\":\"2024-08-07T12:18:26.093Z\",\"hasUpdateAvailable\":false, \"installationId\":\"00000000-0000-0000-0000-000000000001\",\"ipv4\":[{\"data\":[192,168,1,203],\"type\":\"Buffer\"}],\"ipv4Num\":[2885681155],\"ipv4Str\":[\"192.0.2.0\"],\"ipv6\":[{\"data\":[253,170,63,62,245,208,0,1,168,44,1,25,76,65,80,190],\"type\":\"Buffer\"}],\"ipv6Str\":[\"fe80::1c2c:5b3a:97df:13f1\"],\"lastConnectionTime\":\"2026-05-03T08:40:06.399Z\",\"lastDisconnectionReason\":\"Keepalive\",\"lastRebootTime\":\"2025-05-15T09:33:32.000Z\",\"lastStatusChange\":\"2026-05-03T08:40:06.399Z\",\"latestPossibleAgentVersion\":{\"major\":1,\"minor\":55,\"patch\":2},\"latestPossibleAgentVersionStr\":\"1.55.2\",\"name\":\"172-0-0-3\",\"nameUppercase\":\"172-0-0-3\",\"notIncludedInAttacks\":false,\"os\":{\"version\":{\"build\":0,\"major\":10,\"minor\":0,\"patch\":18363},\"servicePack\":{\"build\":0,\"major\":0,\"minor\":0,\"patch\":0},\"distributionName\":\"\",\"distributionVersion\":\"\",\"name\":\"Windows 10 ver 1909\"},\"osType\":\"Windows\",\"productType\":\"Workstation\",\"remoteAddress\":\"203.0.113.50\",\"securityFlags\":[\"hasSession\",\"hasCachedCredentials\"],\"status\":\"active\",\"timeToReviveAt\":\"2026-05-08T00:00:00Z\",\"type\":\"agent\",\"typeDisplayName\":\"Device\",\"hasMatchingSID\":false,\"lastUpdatedAt\":\"2026-05-03T09:06:44.280Z\",\"securityFlagsForDisplay\":[{\"key\":\"examplekey\"}],\"southOwner\":\"south-owner-1\",\"domainName\":\"workgroup\",\"labels\":[{\"id\":\"testLabel\",\"type\":\"custom\"},{\"id\":\"sn : azure Identity : sn\",\"type\":\"custom\"},{\"id\":\"Azure Identity\",\"type\":\"custom\"},{\"id\":\"2test_vmazure virtual machine_azure_test\",\"type\":\"custom\"},{\"id\":\"1azureCRazure Container registry_test\",\"type\":\"custom\"},{\"id\":\"!@$TEST:2))\",\"type\":\"custom\"},{\"id\":\"sn : Access Token : sn\",\"type\":\"custom\"},{\"id\":\"Email Service\",\"type\":\"custom\"},{\"id\":\"shirel-device\",\"type\":\"custom\"},{\"id\":\"felix test\",\"type\":\"custom\"}],\"machineId\":\"ca722442-9a91-849d-0fdd-438e7a0701f1\",\"agentType\":\"Service\",\"category\":\"enterprise\",\"xmLabels\":[{\"id\":\"Spooler server\"},{\"id\":\"Public IP\"},{\"id\":\"Device without EDR\"}],\"importedLabels\":[\"SN Name : 172-0-0-3\",\"SN Created : 2026-04-14 05:15:00\"],\"entityDetails\":{\"name\":\"172-0-0-3\",\"id\":\"11405078888731052442\",\"isAsset\":true,\"subType\":\"windows\",\"subTypeDisplayName\":\"Device\"},\"accountId\":\"123456789012\",\"arn\":\"arn:aws:ssm:us-east-2:123456789012:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92\",\"displayName\":\"/EC2Rescue/Passwords/i-0d056ac1b7c822c92\",\"entityType\":\"agent\",\"region\":\"us-east-2\",\"ruleDisplayName\":\"123456789012 / /EC2Rescue/Passwords/i-0d056ac1b7c822c92\",\"ssmParameterDataType\":\"text\",\"ssmParameterDescription\":\"New local Administrator password for instance i-0d056ac1b7c822c92\",\"ssmParameterKeyId\":\"alias/aws/ssm\",\"ssmParameterLastModifiedDate\":\"2021-07-28T08:11:54.200Z\",\"ssmParameterLastModifiedUser\":\"arn:aws:sts::123456789012:assumed-role/AmazonSSMRoleForInstancesQuickSetup/i-0d056ac1b7c822c92\",\"ssmParameterName\":\"/EC2Rescue/Passwords/i-0d056ac1b7c822c92\",\"ssmParameterTier\":\"Standard\",\"ssmParameterType\":\"SecureString\",\"ssmParameterVersion\":1,\"useType\":\"Storage\",\"xmProviderAccount\":\"xm-test3\",\"xmUpdateTime\":\"2026-05-05T21:05:15.079Z\",\"accountName\":\"xm-test3\",\"organizationId\":\"o-wvjziar78j\",\"awsTags\":[{\"Key\":\"aws:cloudformation:stack-id\",\"Value\":\"arn:aws:cloudformation:us-east-1:123456789012:stack/StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001/00000000-0000-0000-0000-000000000002\"},{\"Key\":\"aws:cloudformation:stack-name\",\"Value\":\"StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001\"},{\"Key\":\"aws:cloudformation:logical-id\",\"Value\":\"ExampleSensorManagementCredentialsSecret\"}],\"secretKmsKeyId\":\"alias/tenant-secret-kms-local\",\"secretDescription\":\"Example API credentials used by the 1-Click sensor management orchestrator.\",\"tagsStr\":[\"aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:123456789012:stack/StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001/00000000-0000-0000-0000-000000000002\",\"aws:cloudformation:stack-name: StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001\",\"aws:cloudformation:logical-id: ExampleSensorManagementCredentialsSecret\"],\"kmsKeyAliases\":[\"alias/aws/secretsmanager\",\"alias/example\"],\"kmsKeyCreationDate\":\"2024-12-05T15:14:24.368Z\",\"kmsKeyDescription\":\"\",\"kmsKeyManager\":\"CUSTOMER\",\"kmsKeyOrigin\":\"AWS_KMS\",\"kmsKeyState\":\"Enabled\",\"kmsKeyUsage\":\"ENCRYPT_DECRYPT\"}" + }, + "host": { + "architecture": "Amd64", + "domain": "workgroup", + "entity": { + "lifecycle": { + "last_activity": "2026-05-03T08:40:06.399Z" + } + }, + "id": "ca722442-9a91-849d-0fdd-438e7a0701f1", + "ip": [ + "192.0.2.0" + ], + "os": { + "family": "Windows", + "full": "Windows 10 ver 1909" + } + }, + "orchestrator": { + "type": "kubernetes" + }, + "organization": { + "id": "o-wvjziar78j" + }, + "related": { + "hosts": [ + "arn:aws:ssm:us-east-2:123456789012:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "172-0-0-3" + ], + "ip": [ + "192.0.2.0" + ] + }, + "tags": [ + "preserve_original_event", + "aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:123456789012:stack/StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001/00000000-0000-0000-0000-000000000002", + "aws:cloudformation:stack-name: StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001", + "aws:cloudformation:logical-id: ExampleSensorManagementCredentialsSecret" + ], + "xm_cyber": { + "entity_inventory": { + "access_key_creation_date": "Unknown", + "agent_type": "Service", + "agent_version": { + "major": 1, + "minor": 55, + "patch": 2 + }, + "agent_version_str": "1.55.2", + "arn": "arn:aws:ssm:us-east-2:123456789012:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "aws_tags": [ + { + "key": "aws:cloudformation:stack-id", + "value": "arn:aws:cloudformation:us-east-1:123456789012:stack/StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001/00000000-0000-0000-0000-000000000002" + }, + { + "key": "aws:cloudformation:stack-name", + "value": "StackSet-example-SensorManagement-00000000-0000-0000-0000-000000000001" + }, + { + "key": "aws:cloudformation:logical-id", + "value": "ExampleSensorManagementCredentialsSecret" + } + ], + "category": "enterprise", + "cm_id": "0000", + "connection_counter": 160, + "custom_properties": { + "custom_labels": [ + { + "label": "testLabel" + }, + { + "label": "sn : azure Identity : sn" + }, + { + "label": "Azure Identity" + }, + { + "label": "2test_vmazure virtual machine_azure_test" + }, + { + "label": "1azureCRazure Container registry_test" + } + ], + "domain_workgroup": { + "data": "workgroup", + "type": "workgroup" + }, + "hardware_info": { + "cpu_core_count": 1, + "cpu_count": 1, + "cpu_manufacturer": "GenuineIntel", + "cpu_processor_type": "Intel(R) Xeon(R) Gold 5318Y CPU @ 2.10GHz", + "cpu_speed_mhz": 2095, + "system_manufacturer": "VMware, Inc.", + "system_model": "VMware Virtual Platform", + "total_ram_mb": "2047" + }, + "labels": [ + { + "label": "spooler" + }, + { + "label": "device_without_edr" + } + ], + "mac_addresses": [ + "00:50:56:3D:0A:93" + ], + "ou_computer": "workgroup", + "ou_user": "workgroup", + "sniffer_status": "Active", + "sniffer_status_changeable": true, + "sniffer_status_configuration": "ForcedEnabled", + "subnet_info": "172.0.0.0/24" + }, + "customer_id": "fda93183-19f4-447d-bd49-83633329ee37", + "disabled": false, + "disabled_changed_at": "2025-12-01T05:31:01.103Z", + "disabled_reason": "revivedByCmNodeMgr", + "display_name": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "entity_details": { + "id": "11405078888731052442", + "is_asset": true, + "name": "172-0-0-3", + "sub_type": "windows", + "sub_type_display_name": "Device" + }, + "entity_type": "agent", + "first_seen": "2024-08-07T12:18:26.093Z", + "has_matching_sid": false, + "has_update_available": false, + "imported_labels": [ + "SN Name : 172-0-0-3", + "SN Created : 2026-04-14 05:15:00" + ], + "installation_id": "00000000-0000-0000-0000-000000000001", + "ipv4_buffer": [ + { + "data": [ + 192, + 168, + 1, + 203 + ], + "type": "Buffer" + } + ], + "ipv4num": [ + 2885681155 + ], + "ipv6_buffer": [ + { + "data": [ + 253, + 170, + 63, + 62, + 245, + 208, + 0, + 1, + 168, + 44, + 1, + 25, + 76, + 65, + 80, + 190 + ], + "type": "Buffer" + } + ], + "ipv6str": [ + "fe80::1c2c:5b3a:97df:13f1" + ], + "kms_key_aliases": [ + "alias/aws/secretsmanager", + "alias/example" + ], + "kms_key_creation_date": "2024-12-05T15:14:24.368Z", + "kms_key_manager": "CUSTOMER", + "kms_key_origin": "AWS_KMS", + "kms_key_state": "Enabled", + "kms_key_usage": "ENCRYPT_DECRYPT", + "labels": [ + { + "id": "testLabel", + "type": "custom" + }, + { + "id": "sn : azure Identity : sn", + "type": "custom" + }, + { + "id": "Azure Identity", + "type": "custom" + }, + { + "id": "2test_vmazure virtual machine_azure_test", + "type": "custom" + }, + { + "id": "1azureCRazure Container registry_test", + "type": "custom" + }, + { + "id": "!@$TEST:2))", + "type": "custom" + }, + { + "id": "sn : Access Token : sn", + "type": "custom" + }, + { + "id": "Email Service", + "type": "custom" + }, + { + "id": "shirel-device", + "type": "custom" + }, + { + "id": "felix test", + "type": "custom" + } + ], + "last_connection_time": "2026-05-03T08:40:06.399Z", + "last_disconnection_reason": "Keepalive", + "last_reboot_time": "2025-05-15T09:33:32.000Z", + "last_status_change": "2026-05-03T08:40:06.399Z", + "last_updated_at": "2026-05-03T09:06:44.280Z", + "latest_possible_agent_version": { + "major": 1, + "minor": 55, + "patch": 2 + }, + "latest_possible_agent_version_str": "1.55.2", + "name": "172-0-0-3", + "name_uppercase": "172-0-0-3", + "not_included_in_attacks": false, + "os": { + "service_pack": { + "build": 0, + "major": 0, + "minor": 0, + "patch": 0 + }, + "version": { + "build": 0, + "major": 10, + "minor": 0, + "patch": 18363 + } + }, + "product_type": "Workstation", + "remote_address": "203.0.113.50", + "rule_display_name": "123456789012 / /EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "secret_description": "Example API credentials used by the 1-Click sensor management orchestrator.", + "secret_kms_key_id": "alias/tenant-secret-kms-local", + "security_flags": [ + "hasSession", + "hasCachedCredentials" + ], + "security_flags_for_display": [ + { + "key": "examplekey" + } + ], + "south_owner": "south-owner-1", + "ssm_parameter_data_type": "text", + "ssm_parameter_description": "New local Administrator password for instance i-0d056ac1b7c822c92", + "ssm_parameter_key_id": "alias/aws/ssm", + "ssm_parameter_last_modified_date": "2021-07-28T08:11:54.200Z", + "ssm_parameter_last_modified_user": "arn:aws:sts::123456789012:assumed-role/AmazonSSMRoleForInstancesQuickSetup/i-0d056ac1b7c822c92", + "ssm_parameter_name": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92", + "ssm_parameter_tier": "Standard", + "ssm_parameter_type": "SecureString", + "ssm_parameter_version": 1, + "status": "active", + "time_to_revive_at": "2026-05-08T00:00:00.000Z", + "type": "agent", + "type_display_name": "Device", + "use_type": "Storage", + "xm_labels": [ + { + "id": "Spooler server" + }, + { + "id": "Public IP" + }, + { + "id": "Device without EDR" + } + ], + "xm_provider_account": "xm-test3" + } + } + }, + { + "@timestamp": "2026-05-20T10:00:00.000Z", + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "name": "jane.doe@example.com" + }, + "provider": "aws", + "region": "us-east-1" + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "id": "22516189999842163553", + "kind": "asset", + "original": "{\"id\":\"22516189999842163553\",\"entityType\":\"AWSUser\",\"type\":\"user\",\"name\":\"jane.doe@example.com\",\"category\":\"cloud\",\"customerId\":\"fda93183-19f4-447d-bd49-83633329ee37\",\"accessKeyCreationDate\":\"2024-12-05T15:14:24.368Z\",\"createdDate\":\"Unknown\",\"lastActivityDate\":\"2026-04-15T11:22:33.000Z\",\"firstSeen\":\"Unknown\",\"lastUpdatedAt\":\"Unknown\",\"xmUpdateTime\":\"2026-05-20T10:00:00.000Z\",\"passwordHash\":\"hash_redacted\",\"userAccessKeysCount\":2,\"isMFAEnabled\":true,\"ipv4\":[\"10.10.0.1\",\"10.10.0.2\"],\"ipv4Num\":[168427521,168427522],\"ipv4Str\":[\"10.10.0.1\",\"10.10.0.2\"],\"ipv6\":[\"2001:db8::1\",\"2001:db8::2\"],\"ipv6Str\":[\"2001:db8::1\",\"2001:db8::2\"],\"cloudProvider\":\"AWS\",\"accountId\":\"123456789012\",\"arn\":\"arn:aws:iam::123456789012:user/jane.doe\",\"region\":\"us-east-1\",\"entityDetails\":{\"name\":\"jane.doe@example.com\",\"id\":\"22516189999842163553\",\"isAsset\":true,\"subType\":\"awsUser\",\"subTypeDisplayName\":\"AWS User\"}}" + }, + "host": { + "ip": [ + "10.10.0.1", + "10.10.0.2" + ] + }, + "related": { + "hash": [ + "hash_redacted" + ], + "hosts": [ + "arn:aws:iam::123456789012:user/jane.doe", + "jane.doe@example.com" + ], + "ip": [ + "10.10.0.1", + "10.10.0.2" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "entity": { + "attributes": { + "mfa_enabled": true + }, + "lifecycle": { + "last_activity": "2026-04-15T11:22:33.000Z" + } + } + }, + "xm_cyber": { + "entity_inventory": { + "access_key_creation_date": "2024-12-05T15:14:24.368Z", + "arn": "arn:aws:iam::123456789012:user/jane.doe", + "category": "cloud", + "created_date": "Unknown", + "customer_id": "fda93183-19f4-447d-bd49-83633329ee37", + "entity_details": { + "id": "22516189999842163553", + "is_asset": true, + "name": "jane.doe@example.com", + "sub_type": "awsUser", + "sub_type_display_name": "AWS User" + }, + "entity_type": "AWSUser", + "first_seen": "Unknown", + "ipv4": [ + "10.10.0.1", + "10.10.0.2" + ], + "ipv4num": [ + 168427521, + 168427522 + ], + "ipv6": [ + "2001:db8::1", + "2001:db8::2" + ], + "ipv6str": [ + "2001:db8::1", + "2001:db8::2" + ], + "is_mfaenabled": true, + "last_activity_date": "2026-04-15T11:22:33.000Z", + "last_updated_at": "Unknown", + "name": "jane.doe@example.com", + "type": "user", + "user_access_keys_count": 2 + } + } + }, + { + "@timestamp": "Unknown", + "ecs": { + "version": "9.3.0" + }, + "event": { + "id": "33627290000953274664", + "kind": "asset", + "original": "{\"id\":\"33627290000953274664\",\"entityType\":\"agent\",\"type\":\"agent\",\"name\":\"dev-host-01\",\"nameUppercase\":\"DEV-HOST-01\",\"category\":\"enterprise\",\"customerId\":\"fda93183-19f4-447d-bd49-83633329ee37\",\"firstSeen\":\"Unknown\",\"lastConnectionTime\":\"Unknown\",\"lastRebootTime\":\"Unknown\",\"lastStatusChange\":\"Unknown\",\"lastUpdatedAt\":\"Unknown\",\"disabledChangedAt\":\"Unknown\",\"timeToReviveAt\":\"Unknown\",\"xmUpdateTime\":\"Unknown\",\"kmsKeyCreationDate\":\"Unknown\",\"ssmParameterLastModifiedDate\":\"Unknown\",\"createdDate\":\"Unknown\",\"lastActivityDate\":\"Unknown\",\"ebsVolumeCreateTime\":\"Unknown\",\"creationTimestamp\":\"Unknown\",\"accessKeyCreationDate\":\"Unknown\",\"lastRunningTime\":\"Unknown\",\"ecrRepositoryCreationDate\":\"Unknown\",\"dynamoDbTableCreationDateTime\":\"Unknown\",\"elasticacheCacheClusterCreateTime\":\"Unknown\",\"sqsQueueLastModifiedDate\":\"Unknown\",\"createTime\":\"Unknown\",\"created\":\"Unknown\",\"lastModified\":\"Unknown\",\"expireAt\":\"Unknown\",\"whenCreated\":\"Unknown\",\"xmMongoUpdateTime\":\"Unknown\",\"redshiftClusterCreateTime\":\"Unknown\",\"ipv4\":[\"10.20.0.1\",{\"data\":[10,20,0,2],\"type\":\"Buffer\"}],\"ipv4Num\":[169082881,169082882],\"ipv4Str\":[\"10.20.0.1\",\"10.20.0.2\"],\"ipv6\":[\"2001:db8::a\",{\"data\":[32,1,13,184,0,0,0,0,0,0,0,0,0,0,0,11],\"type\":\"Buffer\"}],\"ipv6Str\":[\"2001:db8::a\",\"2001:db8::b\"],\"agentVersion\":{\"major\":1,\"minor\":50,\"patch\":0},\"agentVersionStr\":\"1.50.0\",\"machineId\":\"abcdef12-3456-7890-abcd-ef1234567890\",\"hasMatchingSID\":false,\"notIncludedInAttacks\":false,\"osType\":\"Linux\",\"entityDetails\":{\"name\":\"dev-host-01\",\"id\":\"33627290000953274664\",\"isAsset\":true,\"subType\":\"linux\",\"subTypeDisplayName\":\"Device\"}}" + }, + "host": { + "id": "abcdef12-3456-7890-abcd-ef1234567890", + "ip": [ + "10.20.0.1", + "10.20.0.2" + ], + "os": { + "family": "Linux" + } + }, + "related": { + "hosts": [ + "dev-host-01" + ], + "ip": [ + "10.20.0.1", + "10.20.0.2" + ] + }, + "tags": [ + "preserve_original_event" + ], + "xm_cyber": { + "entity_inventory": { + "access_key_creation_date": "Unknown", + "agent_version": { + "major": 1, + "minor": 50, + "patch": 0 + }, + "agent_version_str": "1.50.0", + "category": "enterprise", + "create_time": "Unknown", + "created": "Unknown", + "created_date": "Unknown", + "creation_timestamp": "Unknown", + "customer_id": "fda93183-19f4-447d-bd49-83633329ee37", + "disabled_changed_at": "Unknown", + "dynamo_db_table_creation_date_time": "Unknown", + "ebs_volume_create_time": "Unknown", + "ecr_repository_creation_date": "Unknown", + "elasticache_cache_cluster_create_time": "Unknown", + "entity_details": { + "id": "33627290000953274664", + "is_asset": true, + "name": "dev-host-01", + "sub_type": "linux", + "sub_type_display_name": "Device" + }, + "entity_type": "agent", + "expire_at": "Unknown", + "first_seen": "Unknown", + "has_matching_sid": false, + "ipv4": [ + "10.20.0.1" + ], + "ipv4_buffer": [ + { + "data": [ + 10, + 20, + 0, + 2 + ], + "type": "Buffer" + } + ], + "ipv4num": [ + 169082881, + 169082882 + ], + "ipv6": [ + "2001:db8::a" + ], + "ipv6_buffer": [ + { + "data": [ + 32, + 1, + 13, + 184, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 11 + ], + "type": "Buffer" + } + ], + "ipv6str": [ + "2001:db8::a", + "2001:db8::b" + ], + "kms_key_creation_date": "Unknown", + "last_activity_date": "Unknown", + "last_connection_time": "Unknown", + "last_modified": "Unknown", + "last_reboot_time": "Unknown", + "last_running_time": "Unknown", + "last_status_change": "Unknown", + "last_updated_at": "Unknown", + "name": "dev-host-01", + "name_uppercase": "DEV-HOST-01", + "not_included_in_attacks": false, + "redshift_cluster_create_time": "Unknown", + "sqs_queue_last_modified_date": "Unknown", + "ssm_parameter_last_modified_date": "Unknown", + "time_to_revive_at": "Unknown", + "type": "agent", + "when_created": "Unknown", + "xm_mongo_update_time": "Unknown" + } + } + } + ] +} diff --git a/packages/xm_cyber/data_stream/entity_inventory/_dev/test/system/test-default-config.yml b/packages/xm_cyber/data_stream/entity_inventory/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..511a16aad17 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +wait_for_data_timeout: 1m +input: cel +service: xm_cyber +vars: + url: http://{{Hostname}}:{{Port}} + api_key: mock-api-key +data_stream: + vars: + interval: 24h + page_size: 2 + preserve_original_event: true +# Full-fetch every interval: each cycle returns 3 records (2 from page 1 + 1 from +# nextLink page 2). Multiple cycles run within wait_for_data_timeout, so use min_count. +assert: + min_count: 3 diff --git a/packages/xm_cyber/data_stream/entity_inventory/agent/stream/cel.yml.hbs b/packages/xm_cyber/data_stream/entity_inventory/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..a0ddee26fc1 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/agent/stream/cel.yml.hbs @@ -0,0 +1,186 @@ +interval: {{interval}} +max_executions: 200 +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + url: {{url}} + api_key: {{api_key}} + page_size: {{page_size}} +redact: + fields: + - api_key + - access_token + - refresh_token +program: | + state.url.trim_right("/").as(base, + state.with( + ( + ( + !has(state.?cursor.access_token) || !has(state.?cursor.refresh_token) || state.?cursor.need_reauth.orValue(false) + ) ? + post_request(base + "/api/auth", "application/json", "{}").with( + { + "Header": { + "X-Api-Key": [state.api_key], + "Content-Type": ["application/json"], + }, + } + ).do_request().as(authResp, + (authResp.StatusCode == 200) ? + authResp.Body.decode_json().as(ao, + { + "ok": true, + "access": ao.accessToken, + "refresh": ao.refreshToken, + } + ) + : + { + "ok": false, + "err_code": string(authResp.StatusCode), + "err_status": authResp.Status, + "err_body": (size(authResp.Body) != 0) ? string(authResp.Body) : authResp.Status, + } + ) + : + { + "ok": true, + ?"access": state.?cursor.access_token, + ?"refresh": state.?cursor.refresh_token, + } + ).as(tok, + tok.ok ? + request( + "GET", + (state.?next_page.?link.orValue("") != "") ? + ( + state.next_page.link.startsWith("http") ? + state.next_page.link + : + base + state.next_page.link + ) + : + base + "/api/entityInventory/entities?" + { + "pageSize": [string(int(state.page_size))], + }.format_query() + ).with( + { + "Header": { + "Authorization": ["Bearer " + tok.access], + "Content-Type": ["application/json"], + }, + } + ).do_request().as(resp, + (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, + { + "events": body.?data.orValue([]).map(e, {"message": e.encode_json()}), + "cursor": { + "access_token": tok.access, + "refresh_token": tok.refresh, + "need_reauth": false, + }, + "next_page": { + ?"link": body.?paging.?nextLink.orValue(null) != null ? + optional.of(body.paging.nextLink) : optional.none(), + }, + "want_more": body.?paging.?nextLink.orValue(null) != null, + } + ) + : (resp.StatusCode == 401 || resp.StatusCode == 419) ? + post_request( + base + "/api/refresh-token", + "application/json", + {"refreshToken": tok.refresh}.encode_json() + ).with( + { + "Header": {"Content-Type": ["application/json"]}, + } + ).do_request().as(refResp, + refResp.Body.decode_json().as(ro, + { + "events": [{"message": "retry"}], + "cursor": (refResp.StatusCode == 200) ? + { + "access_token": ro.accessToken, + "refresh_token": ro.refreshToken, + "need_reauth": false, + } + : + { + "access_token": "", + "refresh_token": "", + "need_reauth": true, + }, + "want_more": true, + } + ) + ) + : (resp.StatusCode == 429) ? + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": resp.Status, + "message": "GET " + base + + "/api/entityInventory/entities: rate limited", + }, + }, + "want_more": false, + } + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": resp.Status, + "message": "GET " + base + + "/api/entityInventory/entities: " + ( + (size(resp.Body) != 0) ? string(resp.Body) : (resp.Status) + ), + }, + }, + "want_more": false, + } + ) + : + { + "events": { + "error": { + "code": tok.err_code, + "id": tok.err_status, + "message": "POST " + base + + "/api/auth: " + tok.err_body, + }, + }, + "want_more": false, + } + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/xm_cyber/data_stream/entity_inventory/elasticsearch/ingest_pipeline/default.yml b/packages/xm_cyber/data_stream/entity_inventory/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..adbfee5f1a5 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2162 @@ +--- +description: Pipeline for processing XM Cyber entity inventory events from CEL `message` JSON. +processors: + - set: + tag: set_ecs_version + field: ecs.version + value: 9.3.0 + - terminate: + description: error message set and no data to process. + tag: terminate_data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + + # drop CEL informational refresh-token marker events + - drop: + description: Drops the CEL token-refresh retry marker event so it does not become a phantom pipeline_error document. + tag: drop_cel_refresh_token_retry + if: ctx.message instanceof String && ctx.message == 'retry' + + # remove agentless metadata + - remove: + description: Removes the fields added by Agentless as metadata, as they can collide with ECS fields. + tag: remove_agentless_tags + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + field: + - organization + - division + - team + ignore_missing: true + + # parse the event JSON + - rename: + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + tag: rename_message_to_event_original + if: ctx.event?.original == null + field: message + target_field: event.original + ignore_missing: true + - remove: + description: The `message` field is no longer required if the document has an `event.original` field. + tag: remove_message + if: ctx.event?.original != null + field: message + ignore_missing: true + + - json: + tag: json_event_original_into_xm_cyber_entity_inventory + field: event.original + target_field: xm_cyber.entity_inventory + if: ctx.event?.original != null + # Normalise vendor field names to snake_case recursively under xm_cyber.entity_inventory.* + # ----- event.kind / event.category / event.type ----- + - set: + tag: set_event_kind_asset + field: event.kind + value: asset + - fingerprint: + tag: fingerprint_with_id + fields: + - xm_cyber.entity_inventory.id + target_field: _id + ignore_missing: true + + - script: + description: > + Convert field names from camelCase to snake_case recursively. + NOTE: This processor reassigns the normalized output back to + ctx.xm_cyber.entity_inventory. + tag: script_convert_camelcase_to_snake_case + lang: painless + source: |- + // Helper function to convert camelCase to snake_case + String camelToSnake(String str) { + def result = ""; + for (int i = 0; i < str.length(); i++) { + char c = str.charAt(i); + if (Character.isUpperCase(c)) { + if (i > 0 && Character.isLowerCase(str.charAt(i - 1))) { + result += "_"; + } + result += Character.toLowerCase(c); + } else { + result += c; + } + } + return result; + } + // Recursive function to handle nested fields + def convertToSnakeCase(def obj) { + if (obj instanceof Map) { + def newObj = [:]; + for (entry in obj.entrySet()) { + String newKey = camelToSnake(entry.getKey()); + newObj[newKey] = convertToSnakeCase(entry.getValue()); + } + return newObj; + } else if (obj instanceof List) { + def newList = []; + for (item in obj) { + newList.add(convertToSnakeCase(item)); + } + return newList; + } else { + return obj; + } + } + // Apply the conversion + if (ctx.xm_cyber?.entity_inventory != null) { + ctx.xm_cyber.entity_inventory = convertToSnakeCase(ctx.xm_cyber.entity_inventory); + } + + # ----- Date proc for every date field (in-place ISO8601 normalization) ----- + - date: + tag: date_first_seen + field: xm_cyber.entity_inventory.first_seen + target_field: xm_cyber.entity_inventory.first_seen + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.first_seen != null && ctx.xm_cyber.entity_inventory.first_seen != '' && ctx.xm_cyber.entity_inventory.first_seen != 'Unknown' + on_failure: + - remove: + tag: remove_first_seen_on_failure + field: xm_cyber.entity_inventory.first_seen + ignore_missing: true + - append: + tag: append_error_message_first_seen + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_last_connection_time + field: xm_cyber.entity_inventory.last_connection_time + target_field: xm_cyber.entity_inventory.last_connection_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.last_connection_time != null && ctx.xm_cyber.entity_inventory.last_connection_time != '' && ctx.xm_cyber.entity_inventory.last_connection_time != 'Unknown' + on_failure: + - remove: + tag: remove_last_connection_time_on_failure + field: xm_cyber.entity_inventory.last_connection_time + ignore_missing: true + - append: + tag: append_error_message_last_connection_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_last_reboot_time + field: xm_cyber.entity_inventory.last_reboot_time + target_field: xm_cyber.entity_inventory.last_reboot_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.last_reboot_time != null && ctx.xm_cyber.entity_inventory.last_reboot_time != '' && ctx.xm_cyber.entity_inventory.last_reboot_time != 'Unknown' + on_failure: + - remove: + tag: remove_last_reboot_time_on_failure + field: xm_cyber.entity_inventory.last_reboot_time + ignore_missing: true + - append: + tag: append_error_message_last_reboot_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_last_status_change + field: xm_cyber.entity_inventory.last_status_change + target_field: xm_cyber.entity_inventory.last_status_change + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.last_status_change != null && ctx.xm_cyber.entity_inventory.last_status_change != '' && ctx.xm_cyber.entity_inventory.last_status_change != 'Unknown' + on_failure: + - remove: + tag: remove_last_status_change_on_failure + field: xm_cyber.entity_inventory.last_status_change + ignore_missing: true + - append: + tag: append_error_message_last_status_change + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_last_updated_at + field: xm_cyber.entity_inventory.last_updated_at + target_field: xm_cyber.entity_inventory.last_updated_at + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.last_updated_at != null && ctx.xm_cyber.entity_inventory.last_updated_at != '' && ctx.xm_cyber.entity_inventory.last_updated_at != 'Unknown' + on_failure: + - remove: + tag: remove_last_updated_at_on_failure + field: xm_cyber.entity_inventory.last_updated_at + ignore_missing: true + - append: + tag: append_error_message_last_updated_at + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_disabled_changed_at + field: xm_cyber.entity_inventory.disabled_changed_at + target_field: xm_cyber.entity_inventory.disabled_changed_at + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.disabled_changed_at != null && ctx.xm_cyber.entity_inventory.disabled_changed_at != '' && ctx.xm_cyber.entity_inventory.disabled_changed_at != 'Unknown' + on_failure: + - remove: + tag: remove_disabled_changed_at_on_failure + field: xm_cyber.entity_inventory.disabled_changed_at + ignore_missing: true + - append: + tag: append_error_message_disabled_changed_at + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_kms_key_creation_date + field: xm_cyber.entity_inventory.kms_key_creation_date + target_field: xm_cyber.entity_inventory.kms_key_creation_date + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.kms_key_creation_date != null && ctx.xm_cyber.entity_inventory.kms_key_creation_date != '' && ctx.xm_cyber.entity_inventory.kms_key_creation_date != 'Unknown' + on_failure: + - remove: + tag: remove_kms_key_creation_date_on_failure + field: xm_cyber.entity_inventory.kms_key_creation_date + ignore_missing: true + - append: + tag: append_error_message_kms_key_creation_date + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_ssm_parameter_last_modified_date + field: xm_cyber.entity_inventory.ssm_parameter_last_modified_date + target_field: xm_cyber.entity_inventory.ssm_parameter_last_modified_date + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.ssm_parameter_last_modified_date != null && ctx.xm_cyber.entity_inventory.ssm_parameter_last_modified_date != '' && ctx.xm_cyber.entity_inventory.ssm_parameter_last_modified_date != 'Unknown' + on_failure: + - remove: + tag: remove_ssm_parameter_last_modified_date_on_failure + field: xm_cyber.entity_inventory.ssm_parameter_last_modified_date + ignore_missing: true + - append: + tag: append_error_message_ssm_parameter_last_modified_date + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_time_to_revive_at + field: xm_cyber.entity_inventory.time_to_revive_at + target_field: xm_cyber.entity_inventory.time_to_revive_at + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.time_to_revive_at != null && ctx.xm_cyber.entity_inventory.time_to_revive_at != '' && ctx.xm_cyber.entity_inventory.time_to_revive_at != 'Unknown' + on_failure: + - remove: + tag: remove_time_to_revive_at_on_failure + field: xm_cyber.entity_inventory.time_to_revive_at + ignore_missing: true + - append: + tag: append_error_message_time_to_revive_at + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date_xm_update_time + field: xm_cyber.entity_inventory.xm_update_time + target_field: xm_cyber.entity_inventory.xm_update_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.xm_update_time != null && ctx.xm_cyber.entity_inventory.xm_update_time != '' && ctx.xm_cyber.entity_inventory.xm_update_time != 'Unknown' + on_failure: + - remove: + tag: remove_xm_update_time_on_failure + field: xm_cyber.entity_inventory.xm_update_time + ignore_missing: true + - append: + tag: append_error_message_xm_update_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_created_date + field: xm_cyber.entity_inventory.created_date + target_field: xm_cyber.entity_inventory.created_date + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.created_date != null && ctx.xm_cyber.entity_inventory.created_date != '' && ctx.xm_cyber.entity_inventory.created_date != 'Unknown' + on_failure: + - remove: + tag: remove_created_date_on_failure + field: xm_cyber.entity_inventory.created_date + ignore_missing: true + - append: + tag: append_error_message_created_date + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_last_activity_date + field: xm_cyber.entity_inventory.last_activity_date + target_field: xm_cyber.entity_inventory.last_activity_date + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.last_activity_date != null && ctx.xm_cyber.entity_inventory.last_activity_date != '' && ctx.xm_cyber.entity_inventory.last_activity_date != 'Unknown' + on_failure: + - remove: + tag: remove_last_activity_date_on_failure + field: xm_cyber.entity_inventory.last_activity_date + ignore_missing: true + - append: + tag: append_error_message_last_activity_date + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_ebs_volume_create_time + field: xm_cyber.entity_inventory.ebs_volume_create_time + target_field: xm_cyber.entity_inventory.ebs_volume_create_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.ebs_volume_create_time != null && ctx.xm_cyber.entity_inventory.ebs_volume_create_time != '' && ctx.xm_cyber.entity_inventory.ebs_volume_create_time != 'Unknown' + on_failure: + - remove: + tag: remove_ebs_volume_create_time_on_failure + field: xm_cyber.entity_inventory.ebs_volume_create_time + ignore_missing: true + - append: + tag: append_error_message_ebs_volume_create_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_creation_timestamp + field: xm_cyber.entity_inventory.creation_timestamp + target_field: xm_cyber.entity_inventory.creation_timestamp + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.creation_timestamp != null && ctx.xm_cyber.entity_inventory.creation_timestamp != '' && ctx.xm_cyber.entity_inventory.creation_timestamp != 'Unknown' + on_failure: + - remove: + tag: remove_creation_timestamp_on_failure + field: xm_cyber.entity_inventory.creation_timestamp + ignore_missing: true + - append: + tag: append_error_message_creation_timestamp + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_access_key_creation_date + field: xm_cyber.entity_inventory.access_key_creation_date + target_field: xm_cyber.entity_inventory.access_key_creation_date + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.access_key_creation_date != null && ctx.xm_cyber.entity_inventory.access_key_creation_date != '' && ctx.xm_cyber.entity_inventory.access_key_creation_date != 'Unknown' + on_failure: + - remove: + tag: remove_access_key_creation_date_on_failure + field: xm_cyber.entity_inventory.access_key_creation_date + ignore_missing: true + - append: + tag: append_error_message_access_key_creation_date + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_last_running_time + field: xm_cyber.entity_inventory.last_running_time + target_field: xm_cyber.entity_inventory.last_running_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.last_running_time != null && ctx.xm_cyber.entity_inventory.last_running_time != '' && ctx.xm_cyber.entity_inventory.last_running_time != 'Unknown' + on_failure: + - remove: + tag: remove_last_running_time_on_failure + field: xm_cyber.entity_inventory.last_running_time + ignore_missing: true + - append: + tag: append_error_message_last_running_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_ecr_repository_creation_date + field: xm_cyber.entity_inventory.ecr_repository_creation_date + target_field: xm_cyber.entity_inventory.ecr_repository_creation_date + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.ecr_repository_creation_date != null && ctx.xm_cyber.entity_inventory.ecr_repository_creation_date != '' && ctx.xm_cyber.entity_inventory.ecr_repository_creation_date != 'Unknown' + on_failure: + - remove: + tag: remove_ecr_repository_creation_date_on_failure + field: xm_cyber.entity_inventory.ecr_repository_creation_date + ignore_missing: true + - append: + tag: append_error_message_ecr_repository_creation_date + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_dynamo_db_table_creation_date_time + field: xm_cyber.entity_inventory.dynamo_db_table_creation_date_time + target_field: xm_cyber.entity_inventory.dynamo_db_table_creation_date_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.dynamo_db_table_creation_date_time != null && ctx.xm_cyber.entity_inventory.dynamo_db_table_creation_date_time != '' && ctx.xm_cyber.entity_inventory.dynamo_db_table_creation_date_time != 'Unknown' + on_failure: + - remove: + tag: remove_dynamo_db_table_creation_date_time_on_failure + field: xm_cyber.entity_inventory.dynamo_db_table_creation_date_time + ignore_missing: true + - append: + tag: append_error_message_dynamo_db_table_creation_date_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_elasticache_cache_cluster_create_time + field: xm_cyber.entity_inventory.elasticache_cache_cluster_create_time + target_field: xm_cyber.entity_inventory.elasticache_cache_cluster_create_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.elasticache_cache_cluster_create_time != null && ctx.xm_cyber.entity_inventory.elasticache_cache_cluster_create_time != '' && ctx.xm_cyber.entity_inventory.elasticache_cache_cluster_create_time != 'Unknown' + on_failure: + - remove: + tag: remove_elasticache_cache_cluster_create_time_on_failure + field: xm_cyber.entity_inventory.elasticache_cache_cluster_create_time + ignore_missing: true + - append: + tag: append_error_message_elasticache_cache_cluster_create_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_sqs_queue_last_modified_date + field: xm_cyber.entity_inventory.sqs_queue_last_modified_date + target_field: xm_cyber.entity_inventory.sqs_queue_last_modified_date + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.sqs_queue_last_modified_date != null && ctx.xm_cyber.entity_inventory.sqs_queue_last_modified_date != '' && ctx.xm_cyber.entity_inventory.sqs_queue_last_modified_date != 'Unknown' + on_failure: + - remove: + tag: remove_sqs_queue_last_modified_date_on_failure + field: xm_cyber.entity_inventory.sqs_queue_last_modified_date + ignore_missing: true + - append: + tag: append_error_message_sqs_queue_last_modified_date + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_create_time + field: xm_cyber.entity_inventory.create_time + target_field: xm_cyber.entity_inventory.create_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.create_time != null && ctx.xm_cyber.entity_inventory.create_time != '' && ctx.xm_cyber.entity_inventory.create_time != 'Unknown' + on_failure: + - remove: + tag: remove_create_time_on_failure + field: xm_cyber.entity_inventory.create_time + ignore_missing: true + - append: + tag: append_error_message_create_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_created + field: xm_cyber.entity_inventory.created + target_field: xm_cyber.entity_inventory.created + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.created != null && ctx.xm_cyber.entity_inventory.created != '' && ctx.xm_cyber.entity_inventory.created != 'Unknown' + on_failure: + - remove: + tag: remove_created_on_failure + field: xm_cyber.entity_inventory.created + ignore_missing: true + - append: + tag: append_error_message_created + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_last_modified + field: xm_cyber.entity_inventory.last_modified + target_field: xm_cyber.entity_inventory.last_modified + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.last_modified != null && ctx.xm_cyber.entity_inventory.last_modified != '' && ctx.xm_cyber.entity_inventory.last_modified != 'Unknown' + on_failure: + - remove: + tag: remove_last_modified_on_failure + field: xm_cyber.entity_inventory.last_modified + ignore_missing: true + - append: + tag: append_error_message_last_modified + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_expire_at + field: xm_cyber.entity_inventory.expire_at + target_field: xm_cyber.entity_inventory.expire_at + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.expire_at != null && ctx.xm_cyber.entity_inventory.expire_at != '' && ctx.xm_cyber.entity_inventory.expire_at != 'Unknown' + on_failure: + - remove: + tag: remove_expire_at_on_failure + field: xm_cyber.entity_inventory.expire_at + ignore_missing: true + - append: + tag: append_error_message_expire_at + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_when_created + field: xm_cyber.entity_inventory.when_created + target_field: xm_cyber.entity_inventory.when_created + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.when_created != null && ctx.xm_cyber.entity_inventory.when_created != '' && ctx.xm_cyber.entity_inventory.when_created != 'Unknown' + on_failure: + - remove: + tag: remove_when_created_on_failure + field: xm_cyber.entity_inventory.when_created + ignore_missing: true + - append: + tag: append_error_message_when_created + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_xm_mongo_update_time + field: xm_cyber.entity_inventory.xm_mongo_update_time + target_field: xm_cyber.entity_inventory.xm_mongo_update_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.xm_mongo_update_time != null && ctx.xm_cyber.entity_inventory.xm_mongo_update_time != '' && ctx.xm_cyber.entity_inventory.xm_mongo_update_time != 'Unknown' + on_failure: + - remove: + tag: remove_xm_mongo_update_time_on_failure + field: xm_cyber.entity_inventory.xm_mongo_update_time + ignore_missing: true + - append: + tag: append_error_message_xm_mongo_update_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - date: + tag: date_redshift_cluster_create_time + field: xm_cyber.entity_inventory.redshift_cluster_create_time + target_field: xm_cyber.entity_inventory.redshift_cluster_create_time + formats: + - ISO8601 + if: ctx.xm_cyber?.entity_inventory?.redshift_cluster_create_time != null && ctx.xm_cyber.entity_inventory.redshift_cluster_create_time != '' && ctx.xm_cyber.entity_inventory.redshift_cluster_create_time != 'Unknown' + on_failure: + - remove: + tag: remove_redshift_cluster_create_time_on_failure + field: xm_cyber.entity_inventory.redshift_cluster_create_time + ignore_missing: true + - append: + tag: append_error_message_redshift_cluster_create_time + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # ----- Per-element date proc for ebs_volume_attachments[].attach_time ----- + - foreach: + tag: foreach_ebs_volume_attachments_attach_time + field: xm_cyber.entity_inventory.ebs_volume_attachments + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ebs_volume_attachments instanceof List + processor: + date: + tag: date_ebs_volume_attachments_attach_time_element + field: _ingest._value.attach_time + target_field: _ingest._value.attach_time + formats: + - ISO8601 + on_failure: + - remove: + tag: remove_ebs_volume_attachments_attach_time_element_on_failure + field: _ingest._value.attach_time + ignore_missing: true + # ----- Convert procs for long fields ----- + - convert: + tag: convert_connection_counter_long + field: xm_cyber.entity_inventory.connection_counter + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.connection_counter != '' + on_failure: + - remove: + tag: remove_connection_counter_on_failure + field: xm_cyber.entity_inventory.connection_counter + ignore_missing: true + - append: + tag: append_error_message_connection_counter + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_agent_version_major_long + field: xm_cyber.entity_inventory.agent_version.major + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.agent_version?.major != '' + on_failure: + - remove: + tag: remove_agent_version_major_on_failure + field: xm_cyber.entity_inventory.agent_version.major + ignore_missing: true + - append: + tag: append_error_message_agent_version_major + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_agent_version_minor_long + field: xm_cyber.entity_inventory.agent_version.minor + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.agent_version?.minor != '' + on_failure: + - remove: + tag: remove_agent_version_minor_on_failure + field: xm_cyber.entity_inventory.agent_version.minor + ignore_missing: true + - append: + tag: append_error_message_agent_version_minor + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_agent_version_patch_long + field: xm_cyber.entity_inventory.agent_version.patch + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.agent_version?.patch != '' + on_failure: + - remove: + tag: remove_agent_version_patch_on_failure + field: xm_cyber.entity_inventory.agent_version.patch + ignore_missing: true + - append: + tag: append_error_message_agent_version_patch + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_latest_possible_agent_version_major_long + field: xm_cyber.entity_inventory.latest_possible_agent_version.major + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.latest_possible_agent_version?.major != '' + on_failure: + - remove: + tag: remove_latest_possible_agent_version_major_on_failure + field: xm_cyber.entity_inventory.latest_possible_agent_version.major + ignore_missing: true + - append: + tag: append_error_message_latest_possible_agent_version_major + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_latest_possible_agent_version_minor_long + field: xm_cyber.entity_inventory.latest_possible_agent_version.minor + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.latest_possible_agent_version?.minor != '' + on_failure: + - remove: + tag: remove_latest_possible_agent_version_minor_on_failure + field: xm_cyber.entity_inventory.latest_possible_agent_version.minor + ignore_missing: true + - append: + tag: append_error_message_latest_possible_agent_version_minor + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_latest_possible_agent_version_patch_long + field: xm_cyber.entity_inventory.latest_possible_agent_version.patch + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.latest_possible_agent_version?.patch != '' + on_failure: + - remove: + tag: remove_latest_possible_agent_version_patch_on_failure + field: xm_cyber.entity_inventory.latest_possible_agent_version.patch + ignore_missing: true + - append: + tag: append_error_message_latest_possible_agent_version_patch + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_os_service_pack_build_long + field: xm_cyber.entity_inventory.os.service_pack.build + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.os?.service_pack?.build != '' + on_failure: + - remove: + tag: remove_os_service_pack_build_on_failure + field: xm_cyber.entity_inventory.os.service_pack.build + ignore_missing: true + - append: + tag: append_error_message_os_service_pack_build + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_os_service_pack_major_long + field: xm_cyber.entity_inventory.os.service_pack.major + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.os?.service_pack?.major != '' + on_failure: + - remove: + tag: remove_os_service_pack_major_on_failure + field: xm_cyber.entity_inventory.os.service_pack.major + ignore_missing: true + - append: + tag: append_error_message_os_service_pack_major + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_os_service_pack_minor_long + field: xm_cyber.entity_inventory.os.service_pack.minor + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.os?.service_pack?.minor != '' + on_failure: + - remove: + tag: remove_os_service_pack_minor_on_failure + field: xm_cyber.entity_inventory.os.service_pack.minor + ignore_missing: true + - append: + tag: append_error_message_os_service_pack_minor + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_os_service_pack_patch_long + field: xm_cyber.entity_inventory.os.service_pack.patch + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.os?.service_pack?.patch != '' + on_failure: + - remove: + tag: remove_os_service_pack_patch_on_failure + field: xm_cyber.entity_inventory.os.service_pack.patch + ignore_missing: true + - append: + tag: append_error_message_os_service_pack_patch + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_os_version_build_long + field: xm_cyber.entity_inventory.os.version.build + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.os?.version?.build != '' + on_failure: + - remove: + tag: remove_os_version_build_on_failure + field: xm_cyber.entity_inventory.os.version.build + ignore_missing: true + - append: + tag: append_error_message_os_version_build + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_os_version_major_long + field: xm_cyber.entity_inventory.os.version.major + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.os?.version?.major != '' + on_failure: + - remove: + tag: remove_os_version_major_on_failure + field: xm_cyber.entity_inventory.os.version.major + ignore_missing: true + - append: + tag: append_error_message_os_version_major + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_os_version_minor_long + field: xm_cyber.entity_inventory.os.version.minor + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.os?.version?.minor != '' + on_failure: + - remove: + tag: remove_os_version_minor_on_failure + field: xm_cyber.entity_inventory.os.version.minor + ignore_missing: true + - append: + tag: append_error_message_os_version_minor + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_os_version_patch_long + field: xm_cyber.entity_inventory.os.version.patch + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.os?.version?.patch != '' + on_failure: + - remove: + tag: remove_os_version_patch_on_failure + field: xm_cyber.entity_inventory.os.version.patch + ignore_missing: true + - append: + tag: append_error_message_os_version_patch + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_ssm_parameter_version_long + field: xm_cyber.entity_inventory.ssm_parameter_version + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ssm_parameter_version != '' + on_failure: + - remove: + tag: remove_ssm_parameter_version_on_failure + field: xm_cyber.entity_inventory.ssm_parameter_version + ignore_missing: true + - append: + tag: append_error_message_ssm_parameter_version + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + tag: script_split_xm_cyber_entity_inventory_ipv4_by_shape + description: > + Splits xm_cyber.entity_inventory.ipv4 by element shape so that each shape + lands at a field path with a compatible mapping. String elements (e.g. + "wKgByw==") stay in xm_cyber.entity_inventory.ipv4 (keyword). Object + elements (e.g. {"data":[192,168,1,203],"type":"Buffer"}) move to + xm_cyber.entity_inventory.ipv4_buffer with their original "data" and + "type" keys preserved. + if: ctx.xm_cyber?.entity_inventory?.ipv4 instanceof List + lang: painless + source: |- + def src = ctx.xm_cyber.entity_inventory.ipv4; + def strings = []; + def objects = []; + for (def v : src) { + if (v == null) { continue; } + if (v instanceof String) { + strings.add((String) v); + } else if (v instanceof Map) { + objects.add(v); + } + } + if (strings.isEmpty()) { + ctx.xm_cyber.entity_inventory.remove('ipv4'); + } else { + ctx.xm_cyber.entity_inventory.ipv4 = strings; + } + if (!objects.isEmpty()) { + ctx.xm_cyber.entity_inventory.ipv4_buffer = objects; + } + on_failure: + - append: + tag: append_error_message_script_split_ipv4_by_shape + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + tag: script_split_xm_cyber_entity_inventory_ipv6_by_shape + description: > + Splits xm_cyber.entity_inventory.ipv6 by element shape so that each shape + lands at a field path with a compatible mapping. String elements stay in + xm_cyber.entity_inventory.ipv6 (keyword). Object elements (e.g. + {"data":[...],"type":"Buffer"}) move to + xm_cyber.entity_inventory.ipv6_buffer with their original "data" and + "type" keys preserved. + if: ctx.xm_cyber?.entity_inventory?.ipv6 instanceof List + lang: painless + source: |- + def src = ctx.xm_cyber.entity_inventory.ipv6; + def strings = []; + def objects = []; + for (def v : src) { + if (v == null) { continue; } + if (v instanceof String) { + strings.add((String) v); + } else if (v instanceof Map) { + objects.add(v); + } + } + if (strings.isEmpty()) { + ctx.xm_cyber.entity_inventory.remove('ipv6'); + } else { + ctx.xm_cyber.entity_inventory.ipv6 = strings; + } + if (!objects.isEmpty()) { + ctx.xm_cyber.entity_inventory.ipv6_buffer = objects; + } + on_failure: + - append: + tag: append_error_message_script_split_ipv6_by_shape + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + tag: foreach_convert_ipv4_num_long + field: xm_cyber.entity_inventory.ipv4num + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ipv4num != null + processor: + convert: + tag: convert_ipv4_num_long_element + field: _ingest._value + type: long + ignore_missing: true + on_failure: + - remove: + tag: remove_ipv4_num_element_on_failure + field: _ingest._value + ignore_missing: true + - append: + tag: append_error_message_ipv4_num_element + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_custom_properties_hardware_info_cpu_core_count_long + field: xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_core_count + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.custom_properties?.hardware_info?.cpu_core_count != '' + on_failure: + - remove: + tag: remove_custom_properties_hardware_info_cpu_core_count_on_failure + field: xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_core_count + ignore_missing: true + - append: + tag: append_error_message_custom_properties_hardware_info_cpu_core_count + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_custom_properties_hardware_info_cpu_count_long + field: xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_count + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.custom_properties?.hardware_info?.cpu_count != '' + on_failure: + - remove: + tag: remove_custom_properties_hardware_info_cpu_count_on_failure + field: xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_count + ignore_missing: true + - append: + tag: append_error_message_custom_properties_hardware_info_cpu_count + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_custom_properties_hardware_info_cpu_speed_mhz_long + field: xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_speed_mhz + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.custom_properties?.hardware_info?.cpu_speed_mhz != '' + on_failure: + - remove: + tag: remove_custom_properties_hardware_info_cpu_speed_mhz_on_failure + field: xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_speed_mhz + ignore_missing: true + - append: + tag: append_error_message_custom_properties_hardware_info_cpu_speed_mhz + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_role_max_session_duration_long + field: xm_cyber.entity_inventory.role_max_session_duration + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.role_max_session_duration != '' + on_failure: + - remove: + tag: remove_role_max_session_duration_on_failure + field: xm_cyber.entity_inventory.role_max_session_duration + ignore_missing: true + - append: + tag: append_error_message_role_max_session_duration + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_ebs_volume_iops_long + field: xm_cyber.entity_inventory.ebs_volume_iops + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ebs_volume_iops != '' + on_failure: + - remove: + tag: remove_ebs_volume_iops_on_failure + field: xm_cyber.entity_inventory.ebs_volume_iops + ignore_missing: true + - append: + tag: append_error_message_ebs_volume_iops + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_ebs_volume_size_long + field: xm_cyber.entity_inventory.ebs_volume_size + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ebs_volume_size != '' + on_failure: + - remove: + tag: remove_ebs_volume_size_on_failure + field: xm_cyber.entity_inventory.ebs_volume_size + ignore_missing: true + - append: + tag: append_error_message_ebs_volume_size + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_user_access_keys_count_long + field: xm_cyber.entity_inventory.user_access_keys_count + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.user_access_keys_count != '' + on_failure: + - remove: + tag: remove_user_access_keys_count_on_failure + field: xm_cyber.entity_inventory.user_access_keys_count + ignore_missing: true + - append: + tag: append_error_message_user_access_keys_count + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_dynamo_db_table_item_count_long + field: xm_cyber.entity_inventory.dynamo_db_table_item_count + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.dynamo_db_table_item_count != '' + on_failure: + - remove: + tag: remove_dynamo_db_table_item_count_on_failure + field: xm_cyber.entity_inventory.dynamo_db_table_item_count + ignore_missing: true + - append: + tag: append_error_message_dynamo_db_table_item_count + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_dynamo_db_table_size_bytes_long + field: xm_cyber.entity_inventory.dynamo_db_table_size_bytes + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.dynamo_db_table_size_bytes != '' + on_failure: + - remove: + tag: remove_dynamo_db_table_size_bytes_on_failure + field: xm_cyber.entity_inventory.dynamo_db_table_size_bytes + ignore_missing: true + - append: + tag: append_error_message_dynamo_db_table_size_bytes + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_elasticache_cache_cache_security_groups_long + field: xm_cyber.entity_inventory.elasticache_cache_cache_security_groups + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.elasticache_cache_cache_security_groups != '' + on_failure: + - remove: + tag: remove_elasticache_cache_cache_security_groups_on_failure + field: xm_cyber.entity_inventory.elasticache_cache_cache_security_groups + ignore_missing: true + - append: + tag: append_error_message_elasticache_cache_cache_security_groups + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_elasticache_cache_cluster_num_cache_nodes_long + field: xm_cyber.entity_inventory.elasticache_cache_cluster_num_cache_nodes + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.elasticache_cache_cluster_num_cache_nodes != '' + on_failure: + - remove: + tag: remove_elasticache_cache_cluster_num_cache_nodes_on_failure + field: xm_cyber.entity_inventory.elasticache_cache_cluster_num_cache_nodes + ignore_missing: true + - append: + tag: append_error_message_elasticache_cache_cluster_num_cache_nodes + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_elasticache_cache_security_groups_long + field: xm_cyber.entity_inventory.elasticache_cache_security_groups + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.elasticache_cache_security_groups != '' + on_failure: + - remove: + tag: remove_elasticache_cache_security_groups_on_failure + field: xm_cyber.entity_inventory.elasticache_cache_security_groups + ignore_missing: true + - append: + tag: append_error_message_elasticache_cache_security_groups + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_version_number_long + field: xm_cyber.entity_inventory.version_number + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.version_number != '' + on_failure: + - remove: + tag: remove_version_number_on_failure + field: xm_cyber.entity_inventory.version_number + ignore_missing: true + - append: + tag: append_error_message_version_number + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_nodes_in_node_group_count_long + field: xm_cyber.entity_inventory.nodes_in_node_group_count + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.nodes_in_node_group_count != '' + on_failure: + - remove: + tag: remove_nodes_in_node_group_count_on_failure + field: xm_cyber.entity_inventory.nodes_in_node_group_count + ignore_missing: true + - append: + tag: append_error_message_nodes_in_node_group_count + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_machine_account_quota_long + field: xm_cyber.entity_inventory.machine_account_quota + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.machine_account_quota != '' + on_failure: + - remove: + tag: remove_machine_account_quota_on_failure + field: xm_cyber.entity_inventory.machine_account_quota + ignore_missing: true + - append: + tag: append_error_message_machine_account_quota + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_endpoint_port_long + field: xm_cyber.entity_inventory.endpoint_port + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.endpoint_port != '' + on_failure: + - remove: + tag: remove_endpoint_port_on_failure + field: xm_cyber.entity_inventory.endpoint_port + ignore_missing: true + - append: + tag: append_error_message_endpoint_port + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_redshift_cluster_number_of_nodes_long + field: xm_cyber.entity_inventory.redshift_cluster_number_of_nodes + type: long + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.redshift_cluster_number_of_nodes != '' + on_failure: + - remove: + tag: remove_redshift_cluster_number_of_nodes_on_failure + field: xm_cyber.entity_inventory.redshift_cluster_number_of_nodes + ignore_missing: true + - append: + tag: append_error_message_redshift_cluster_number_of_nodes + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # ----- Per-element long proc for ebs_volume_attachments[].ebs_card_index ----- + - foreach: + tag: foreach_ebs_volume_attachments_ebs_card_index + field: xm_cyber.entity_inventory.ebs_volume_attachments + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ebs_volume_attachments instanceof List + processor: + convert: + tag: convert_ebs_volume_attachments_ebs_card_index_element_long + field: _ingest._value.ebs_card_index + type: long + ignore_missing: true + on_failure: + - remove: + tag: remove_ebs_volume_attachments_ebs_card_index_element_on_failure + field: _ingest._value.ebs_card_index + ignore_missing: true + - append: + tag: append_error_message_ebs_volume_attachments_ebs_card_index_element + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # ----- Convert procs for boolean fields ----- + - convert: + tag: convert_disabled_boolean + field: xm_cyber.entity_inventory.disabled + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.disabled != '' + on_failure: + - remove: + tag: remove_disabled_on_failure + field: xm_cyber.entity_inventory.disabled + ignore_missing: true + - append: + tag: append_error_message_disabled + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_has_matching_sid_boolean + field: xm_cyber.entity_inventory.has_matching_sid + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.has_matching_sid != '' + on_failure: + - remove: + tag: remove_has_matching_sid_on_failure + field: xm_cyber.entity_inventory.has_matching_sid + ignore_missing: true + - append: + tag: append_error_message_has_matching_sid + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_has_update_available_boolean + field: xm_cyber.entity_inventory.has_update_available + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.has_update_available != '' + on_failure: + - remove: + tag: remove_has_update_available_on_failure + field: xm_cyber.entity_inventory.has_update_available + ignore_missing: true + - append: + tag: append_error_message_has_update_available + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_not_included_in_attacks_boolean + field: xm_cyber.entity_inventory.not_included_in_attacks + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.not_included_in_attacks != '' + on_failure: + - remove: + tag: remove_not_included_in_attacks_on_failure + field: xm_cyber.entity_inventory.not_included_in_attacks + ignore_missing: true + - append: + tag: append_error_message_not_included_in_attacks + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_entity_details_is_asset_boolean + field: xm_cyber.entity_inventory.entity_details.is_asset + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.entity_details?.is_asset != '' + on_failure: + - remove: + tag: remove_entity_details_is_asset_on_failure + field: xm_cyber.entity_inventory.entity_details.is_asset + ignore_missing: true + - append: + tag: append_error_message_entity_details_is_asset + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_custom_properties_sniffer_status_changeable_boolean + field: xm_cyber.entity_inventory.custom_properties.sniffer_status_changeable + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.custom_properties?.sniffer_status_changeable != '' + on_failure: + - remove: + tag: remove_custom_properties_sniffer_status_changeable_on_failure + field: xm_cyber.entity_inventory.custom_properties.sniffer_status_changeable + ignore_missing: true + - append: + tag: append_error_message_custom_properties_sniffer_status_changeable + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_is_highly_privileged_boolean + field: xm_cyber.entity_inventory.is_highly_privileged + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.is_highly_privileged != '' + on_failure: + - remove: + tag: remove_is_highly_privileged_on_failure + field: xm_cyber.entity_inventory.is_highly_privileged + ignore_missing: true + - append: + tag: append_error_message_is_highly_privileged + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_encryption_boolean + field: xm_cyber.entity_inventory.encryption + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.encryption != '' + on_failure: + - remove: + tag: remove_encryption_on_failure + field: xm_cyber.entity_inventory.encryption + ignore_missing: true + - append: + tag: append_error_message_encryption + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_ebs_volume_multi_attach_enabled_boolean + field: xm_cyber.entity_inventory.ebs_volume_multi_attach_enabled + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ebs_volume_multi_attach_enabled != '' + on_failure: + - remove: + tag: remove_ebs_volume_multi_attach_enabled_on_failure + field: xm_cyber.entity_inventory.ebs_volume_multi_attach_enabled + ignore_missing: true + - append: + tag: append_error_message_ebs_volume_multi_attach_enabled + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_is_mfaenabled_boolean + field: xm_cyber.entity_inventory.is_mfaenabled + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.is_mfaenabled != '' + on_failure: + - remove: + tag: remove_is_mfaenabled_on_failure + field: xm_cyber.entity_inventory.is_mfaenabled + ignore_missing: true + - append: + tag: append_error_message_is_mfaenabled + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_public_boolean + field: xm_cyber.entity_inventory.public + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.public != '' + on_failure: + - remove: + tag: remove_public_on_failure + field: xm_cyber.entity_inventory.public + ignore_missing: true + - append: + tag: append_error_message_public + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_is_running_boolean + field: xm_cyber.entity_inventory.is_running + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.is_running != '' + on_failure: + - remove: + tag: remove_is_running_on_failure + field: xm_cyber.entity_inventory.is_running + ignore_missing: true + - append: + tag: append_error_message_is_running + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_ecr_repository_image_scanning_on_push_boolean + field: xm_cyber.entity_inventory.ecr_repository_image_scanning_on_push + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ecr_repository_image_scanning_on_push != '' + on_failure: + - remove: + tag: remove_ecr_repository_image_scanning_on_push_on_failure + field: xm_cyber.entity_inventory.ecr_repository_image_scanning_on_push + ignore_missing: true + - append: + tag: append_error_message_ecr_repository_image_scanning_on_push + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_is_valid_boolean + field: xm_cyber.entity_inventory.is_valid + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.is_valid != '' + on_failure: + - remove: + tag: remove_is_valid_on_failure + field: xm_cyber.entity_inventory.is_valid + ignore_missing: true + - append: + tag: append_error_message_is_valid + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_elasticache_cache_cluster_auth_token_boolean + field: xm_cyber.entity_inventory.elasticache_cache_cluster_auth_token + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.elasticache_cache_cluster_auth_token != '' + on_failure: + - remove: + tag: remove_elasticache_cache_cluster_auth_token_on_failure + field: xm_cyber.entity_inventory.elasticache_cache_cluster_auth_token + ignore_missing: true + - append: + tag: append_error_message_elasticache_cache_cluster_auth_token + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_elasticache_cache_cluster_transit_encryption_boolean + field: xm_cyber.entity_inventory.elasticache_cache_cluster_transit_encryption + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.elasticache_cache_cluster_transit_encryption != '' + on_failure: + - remove: + tag: remove_elasticache_cache_cluster_transit_encryption_on_failure + field: xm_cyber.entity_inventory.elasticache_cache_cluster_transit_encryption + ignore_missing: true + - append: + tag: append_error_message_elasticache_cache_cluster_transit_encryption + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_default_version_boolean + field: xm_cyber.entity_inventory.default_version + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.default_version != '' + on_failure: + - remove: + tag: remove_default_version_on_failure + field: xm_cyber.entity_inventory.default_version + ignore_missing: true + - append: + tag: append_error_message_default_version + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_is_public_boolean + field: xm_cyber.entity_inventory.is_public + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.is_public != '' + on_failure: + - remove: + tag: remove_is_public_on_failure + field: xm_cyber.entity_inventory.is_public + ignore_missing: true + - append: + tag: append_error_message_is_public + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_is_watched_boolean + field: xm_cyber.entity_inventory.is_watched + type: boolean + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.is_watched != '' + on_failure: + - remove: + tag: remove_is_watched_on_failure + field: xm_cyber.entity_inventory.is_watched + ignore_missing: true + - append: + tag: append_error_message_is_watched + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # ----- Per-element boolean proc for ebs_volume_attachments[].delete_on_termination ----- + - foreach: + tag: foreach_ebs_volume_attachments_delete_on_termination + field: xm_cyber.entity_inventory.ebs_volume_attachments + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ebs_volume_attachments instanceof List + processor: + convert: + tag: convert_ebs_volume_attachments_delete_on_termination_element_boolean + field: _ingest._value.delete_on_termination + type: boolean + ignore_missing: true + on_failure: + - remove: + tag: remove_ebs_volume_attachments_delete_on_termination_element_on_failure + field: _ingest._value.delete_on_termination + ignore_missing: true + - append: + tag: append_error_message_ebs_volume_attachments_delete_on_termination_element + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # ----- Convert procs for IP fields ----- + - foreach: + tag: foreach_convert_ipv4str_ip + field: xm_cyber.entity_inventory.ipv4str + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ipv4str != null + processor: + convert: + tag: convert_ipv4str_ip_element + field: _ingest._value + type: ip + ignore_missing: true + on_failure: + - remove: + tag: remove_ipv4str_element_on_failure + field: _ingest._value + ignore_missing: true + - append: + tag: append_error_message_ipv4str_element + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + tag: foreach_convert_ipv6str_ip + field: xm_cyber.entity_inventory.ipv6str + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ipv6str != null + processor: + convert: + tag: convert_ipv6str_ip_element + field: _ingest._value + type: ip + ignore_missing: true + on_failure: + - remove: + tag: remove_ipv6str_element_on_failure + field: _ingest._value + ignore_missing: true + - append: + tag: append_error_message_ipv6str_element + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_ec2private_ip_address_ip + field: xm_cyber.entity_inventory.ec2private_ip_address + type: ip + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ec2private_ip_address != '' + on_failure: + - remove: + tag: remove_ec2private_ip_address_on_failure + field: xm_cyber.entity_inventory.ec2private_ip_address + ignore_missing: true + - append: + tag: append_error_message_ec2private_ip_address + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_ec2public_ip_address_ip + field: xm_cyber.entity_inventory.ec2public_ip_address + type: ip + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ec2public_ip_address != '' + on_failure: + - remove: + tag: remove_ec2public_ip_address_on_failure + field: xm_cyber.entity_inventory.ec2public_ip_address + ignore_missing: true + - append: + tag: append_error_message_ec2public_ip_address + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_host_ip_ip + field: xm_cyber.entity_inventory.host_ip + type: ip + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.host_ip != '' + on_failure: + - remove: + tag: remove_host_ip_on_failure + field: xm_cyber.entity_inventory.host_ip + ignore_missing: true + - append: + tag: append_error_message_host_ip + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_pod_ip_ip + field: xm_cyber.entity_inventory.pod_ip + type: ip + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.pod_ip != '' + on_failure: + - remove: + tag: remove_pod_ip_on_failure + field: xm_cyber.entity_inventory.pod_ip + ignore_missing: true + - append: + tag: append_error_message_pod_ip + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_redshift_cluster_private_ipaddress_ip + field: xm_cyber.entity_inventory.redshift_cluster_private_ipaddress + type: ip + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.redshift_cluster_private_ipaddress != '' + on_failure: + - remove: + tag: remove_redshift_cluster_private_ipaddress_on_failure + field: xm_cyber.entity_inventory.redshift_cluster_private_ipaddress + ignore_missing: true + - append: + tag: append_error_message_redshift_cluster_private_ipaddress + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + tag: convert_redshift_cluster_public_ipaddress_ip + field: xm_cyber.entity_inventory.redshift_cluster_public_ipaddress + type: ip + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.redshift_cluster_public_ipaddress != '' + on_failure: + - remove: + tag: remove_redshift_cluster_public_ipaddress_on_failure + field: xm_cyber.entity_inventory.redshift_cluster_public_ipaddress + ignore_missing: true + - append: + tag: append_error_message_redshift_cluster_public_ipaddress + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # ----- @timestamp resolution ----- + - set: + tag: set_at_timestamp_from_xm_update_time + field: '@timestamp' + copy_from: xm_cyber.entity_inventory.xm_update_time + ignore_empty_value: true + + # ----- Device (agent) ECS host.* mappings ----- + - foreach: + tag: foreach_append_host_ip + field: xm_cyber.entity_inventory.ipv4str + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.ipv4str != null + processor: + append: + tag: append_host_ip_element + field: host.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - set: + tag: set_host_os_family + field: host.os.family + copy_from: xm_cyber.entity_inventory.os_type + ignore_empty_value: true + - set: + tag: set_host_os_name_from_distribution_name + field: host.os.name + copy_from: xm_cyber.entity_inventory.os.distribution_name + ignore_empty_value: true + - set: + tag: set_host_os_version_from_distribution_version + field: host.os.version + copy_from: xm_cyber.entity_inventory.os.distribution_version + ignore_empty_value: true + - set: + tag: set_host_os_full_from_os_name + field: host.os.full + copy_from: xm_cyber.entity_inventory.os.name + ignore_empty_value: true + - set: + tag: set_host_id_from_machine_id + field: host.id + copy_from: xm_cyber.entity_inventory.machine_id + ignore_empty_value: true + - set: + tag: set_host_architecture_from_arch + field: host.architecture + copy_from: xm_cyber.entity_inventory.arch + ignore_empty_value: true + - set: + tag: set_host_domain_from_domain_name + field: host.domain + copy_from: xm_cyber.entity_inventory.domain_name + ignore_empty_value: true + - set: + tag: set_host_os_kernel_from_kernel_version + field: host.os.kernel + copy_from: xm_cyber.entity_inventory.kernel_version + ignore_empty_value: true + - set: + tag: set_host_os_full_fallback_from_os_image + field: host.os.full + copy_from: xm_cyber.entity_inventory.os_image + ignore_empty_value: true + if: ctx.host?.os?.full == null + - set: + tag: set_host_hostname_from_dns_host_name + field: host.hostname + copy_from: xm_cyber.entity_inventory.dns_host_name + ignore_empty_value: true + - set: + tag: set_host_name_from_fqdn + field: host.name + copy_from: xm_cyber.entity_inventory.fqdn + ignore_empty_value: true + if: ctx.host?.name == null + + # ----- host.ip (append from all IP sources) ----- + - append: + tag: append_host_ip_from_host_ip + field: host.ip + value: '{{{xm_cyber.entity_inventory.host_ip}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.host_ip != null && ctx.xm_cyber.entity_inventory.host_ip != '' + - append: + tag: append_host_ip_from_pod_ip + field: host.ip + value: '{{{xm_cyber.entity_inventory.pod_ip}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.pod_ip != null && ctx.xm_cyber.entity_inventory.pod_ip != '' + - append: + tag: append_host_ip_from_ec2private_ip_address + field: host.ip + value: '{{{xm_cyber.entity_inventory.ec2private_ip_address}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.ec2private_ip_address != null && ctx.xm_cyber.entity_inventory.ec2private_ip_address != '' + - append: + tag: append_host_ip_from_ec2public_ip_address + field: host.ip + value: '{{{xm_cyber.entity_inventory.ec2public_ip_address}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.ec2public_ip_address != null && ctx.xm_cyber.entity_inventory.ec2public_ip_address != '' + - append: + tag: append_host_ip_from_redshift_cluster_private_ipaddress + field: host.ip + value: '{{{xm_cyber.entity_inventory.redshift_cluster_private_ipaddress}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.redshift_cluster_private_ipaddress != null && ctx.xm_cyber.entity_inventory.redshift_cluster_private_ipaddress != '' + - append: + tag: append_host_ip_from_redshift_cluster_public_ipaddress + field: host.ip + value: '{{{xm_cyber.entity_inventory.redshift_cluster_public_ipaddress}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.redshift_cluster_public_ipaddress != null && ctx.xm_cyber.entity_inventory.redshift_cluster_public_ipaddress != '' + + # ----- event.* / organization.* mappings ----- + - set: + tag: set_event_id_from_id + field: event.id + copy_from: xm_cyber.entity_inventory.id + ignore_empty_value: true + - set: + tag: set_organization_id_from_organization_id + field: organization.id + copy_from: xm_cyber.entity_inventory.organization_id + ignore_empty_value: true + + # ----- Cloud (AWS) ECS cloud.* mappings ----- + - set: + tag: set_cloud_account_id_from_account_id + field: cloud.account.id + copy_from: xm_cyber.entity_inventory.account_id + ignore_empty_value: true + if: ctx.xm_cyber?.entity_inventory?.entity_type != null && ctx.xm_cyber.entity_inventory.entity_type.toLowerCase().contains('aws') + - set: + tag: set_cloud_account_name_from_account_name + field: cloud.account.name + copy_from: xm_cyber.entity_inventory.account_name + ignore_empty_value: true + if: ctx.xm_cyber?.entity_inventory?.entity_type != null && ctx.xm_cyber.entity_inventory.entity_type.toLowerCase().contains('aws') + - set: + tag: set_cloud_region_from_region + field: cloud.region + copy_from: xm_cyber.entity_inventory.region + ignore_empty_value: true + - set: + tag: set_cloud_instance_id_from_ec2instance_id + field: cloud.instance.id + copy_from: xm_cyber.entity_inventory.ec2instance_id + ignore_empty_value: true + - set: + tag: set_cloud_instance_id_from_instance_id + field: cloud.instance.id + copy_from: xm_cyber.entity_inventory.instance_id + ignore_empty_value: true + if: ctx.cloud?.instance?.id == null + - set: + tag: set_cloud_instance_name_from_name + field: cloud.instance.name + copy_from: xm_cyber.entity_inventory.name + ignore_empty_value: true + if: ctx.xm_cyber?.entity_inventory?.entity_type != null && ctx.xm_cyber.entity_inventory.entity_type.toLowerCase().contains('aws') + - set: + tag: set_cloud_availability_zone_from_availability_zone + field: cloud.availability_zone + copy_from: xm_cyber.entity_inventory.availability_zone + ignore_empty_value: true + - set: + tag: set_cloud_provider_from_cloud_provider + field: cloud.provider + copy_from: xm_cyber.entity_inventory.cloud_provider + ignore_empty_value: true + if: ctx.xm_cyber?.entity_inventory?.cloud_provider != null && ctx.xm_cyber.entity_inventory.cloud_provider != '' && ctx.xm_cyber.entity_inventory.cloud_provider.toUpperCase() != 'UNSUPPORTED_CLOUD_PROVIDER' + - lowercase: + tag: lowercase_cloud_provider + field: cloud.provider + ignore_missing: true + + # ----- host.mac (normalised to ECS format: dash-separated, uppercase) ----- + - foreach: + tag: foreach_append_host_mac + field: xm_cyber.entity_inventory.entity_details.mac_addresses + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.entity_details?.mac_addresses != null + processor: + append: + tag: append_host_mac_element + field: host.mac + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + tag: foreach_host_mac_gsub + field: host.mac + ignore_missing: true + if: ctx.host?.mac instanceof List + processor: + gsub: + tag: gsub_host_mac_element + field: _ingest._value + pattern: '[:.]' + replacement: '-' + ignore_missing: true + on_failure: + - append: + tag: append_error_message_host_mac_gsub_element + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + tag: foreach_host_mac_uppercase + field: host.mac + ignore_missing: true + if: ctx.host?.mac instanceof List + processor: + uppercase: + tag: uppercase_host_mac_element + field: _ingest._value + ignore_missing: true + + # ----- orchestrator.* mappings (Kubernetes) ----- + - set: + tag: set_orchestrator_cluster_name_from_cluster_name + field: orchestrator.cluster.name + copy_from: xm_cyber.entity_inventory.cluster_name + ignore_empty_value: true + - set: + tag: set_orchestrator_cluster_id_from_cluster_unique_id + field: orchestrator.cluster.id + copy_from: xm_cyber.entity_inventory.cluster_unique_id + ignore_empty_value: true + - set: + tag: set_orchestrator_namespace_from_namespace + field: orchestrator.namespace + copy_from: xm_cyber.entity_inventory.namespace + ignore_empty_value: true + - set: + tag: set_orchestrator_type_kubernetes + field: orchestrator.type + value: kubernetes + if: ctx.orchestrator?.cluster?.name != null || ctx.xm_cyber?.entity_inventory?.kubelet_version != null || ctx.xm_cyber?.entity_inventory?.pod_ip != null || ctx.xm_cyber?.entity_inventory?.kube_proxy_version != null + + # ----- user.* mappings ----- + - set: + tag: set_user_name_from_aws_user_name + field: user.name + copy_from: xm_cyber.entity_inventory.aws_user_name + ignore_empty_value: true + - set: + tag: set_user_name_from_user_name + field: user.name + copy_from: xm_cyber.entity_inventory.user_name + ignore_empty_value: true + if: ctx.user?.name == null + - set: + tag: set_user_id_from_iam_unique_id + field: user.id + copy_from: xm_cyber.entity_inventory.iam_unique_id + ignore_empty_value: true + - set: + tag: set_user_id_from_sid + field: user.id + copy_from: xm_cyber.entity_inventory.sid + ignore_empty_value: true + if: ctx.user?.id == null + - set: + tag: set_user_full_name_from_distinguished_name + field: user.full_name + copy_from: xm_cyber.entity_inventory.distinguished_name + ignore_empty_value: true + + # ----- entity.* mappings (ECS entity extension) ----- + # Device-shaped entities: last_activity is the device's last connection time. + - set: + tag: set_host_entity_lifecycle_last_activity_from_last_connection_time + field: host.entity.lifecycle.last_activity + copy_from: xm_cyber.entity_inventory.last_connection_time + ignore_empty_value: true + if: ctx.xm_cyber?.entity_inventory?.last_connection_time != null && ctx.xm_cyber.entity_inventory.last_connection_time != 'Unknown' && ctx.xm_cyber?.entity_inventory?.entity_type != null && ctx.xm_cyber.entity_inventory.entity_type.toLowerCase().contains('agent') + # User-shaped entities: last_activity is the principal's last activity date. + - set: + tag: set_user_entity_lifecycle_last_activity_from_last_activity_date + field: user.entity.lifecycle.last_activity + copy_from: xm_cyber.entity_inventory.last_activity_date + ignore_empty_value: true + if: ctx.xm_cyber?.entity_inventory?.last_activity_date != null && ctx.xm_cyber.entity_inventory.last_activity_date != 'Unknown' && ctx.xm_cyber?.entity_inventory?.entity_type != null && ctx.xm_cyber.entity_inventory.entity_type.toLowerCase().contains('user') + # MFA flag is a user-only attribute. + - set: + tag: set_user_entity_attributes_mfa_enabled_from_is_mfaenabled + field: user.entity.attributes.mfa_enabled + copy_from: xm_cyber.entity_inventory.is_mfaenabled + ignore_empty_value: true + if: ctx.xm_cyber?.entity_inventory?.entity_type != null && ctx.xm_cyber.entity_inventory.entity_type.toLowerCase().contains('user') + + # ----- service.* mappings ----- + - set: + tag: set_service_type_from_engine + field: service.type + copy_from: xm_cyber.entity_inventory.engine + ignore_empty_value: true + - set: + tag: set_service_type_from_lambda_runtime + field: service.type + copy_from: xm_cyber.entity_inventory.lambda_runtime + ignore_empty_value: true + if: ctx.service?.type == null + - set: + tag: set_service_version_from_engine_version + field: service.version + copy_from: xm_cyber.entity_inventory.engine_version + ignore_empty_value: true + + # ----- Vendor tags merged into top-level tags ----- + - foreach: + tag: foreach_vendor_tags_str + field: xm_cyber.entity_inventory.tags_str + ignore_missing: true + if: ctx.xm_cyber?.entity_inventory?.tags_str != null + processor: + append: + field: tags + value: '{{{_ingest._value}}}' + allow_duplicates: false + + # ----- related.* enrichment ----- + - foreach: + tag: foreach_host_ip_related_ip + field: host.ip + ignore_missing: true + if: ctx.host?.ip != null + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + tag: foreach_host_mac_related_hosts + field: host.mac + ignore_missing: true + if: ctx.host?.mac != null + processor: + append: + field: related.hosts + value: '{{{_ingest._value}}}' + allow_duplicates: false + - append: + tag: append_related_hosts_from_arn + field: related.hosts + value: '{{{xm_cyber.entity_inventory.arn}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.arn != null && ctx.xm_cyber.entity_inventory.arn != '' + - append: + tag: append_related_hosts_from_ecr_repository_arn + field: related.hosts + value: '{{{xm_cyber.entity_inventory.ecr_repository_arn}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.ecr_repository_arn != null && ctx.xm_cyber.entity_inventory.ecr_repository_arn != '' + - append: + tag: append_related_hosts_from_ebs_volume_kms_key_id + field: related.hosts + value: '{{{xm_cyber.entity_inventory.ebs_volume_kms_key_id}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.ebs_volume_kms_key_id != null && ctx.xm_cyber.entity_inventory.ebs_volume_kms_key_id != '' + - append: + tag: append_related_hosts_from_secret_rotation_lambda_arn + field: related.hosts + value: '{{{xm_cyber.entity_inventory.secret_rotation_lambda_arn}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.secret_rotation_lambda_arn != null && ctx.xm_cyber.entity_inventory.secret_rotation_lambda_arn != '' + - append: + tag: append_related_hosts_from_dns_host_name + field: related.hosts + value: '{{{xm_cyber.entity_inventory.dns_host_name}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.dns_host_name != null && ctx.xm_cyber.entity_inventory.dns_host_name != '' + - append: + tag: append_related_hosts_from_fqdn + field: related.hosts + value: '{{{xm_cyber.entity_inventory.fqdn}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.fqdn != null && ctx.xm_cyber.entity_inventory.fqdn != '' + - append: + tag: append_related_hash_from_password_hash + field: related.hash + value: '{{{xm_cyber.entity_inventory.password_hash}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.password_hash != null && ctx.xm_cyber.entity_inventory.password_hash != '' + - append: + tag: append_related_hosts_from_name + field: related.hosts + value: '{{{xm_cyber.entity_inventory.name}}}' + allow_duplicates: false + if: ctx.xm_cyber?.entity_inventory?.name != null && ctx.xm_cyber.entity_inventory.name != '' + + - remove: + description: Remove vendor-specific fields that are duplicated to ECS. + tag: remove_fields_mapped_to_ecs + ignore_missing: true + field: + # ----- host.* sources ----- + - xm_cyber.entity_inventory.arch + - xm_cyber.entity_inventory.domain_name + - xm_cyber.entity_inventory.machine_id + - xm_cyber.entity_inventory.os_type + - xm_cyber.entity_inventory.os.distribution_name + - xm_cyber.entity_inventory.os.distribution_version + - xm_cyber.entity_inventory.os.name + - xm_cyber.entity_inventory.kernel_version + - xm_cyber.entity_inventory.os_image + - xm_cyber.entity_inventory.dns_host_name + - xm_cyber.entity_inventory.fqdn + - xm_cyber.entity_inventory.host_ip + - xm_cyber.entity_inventory.pod_ip + - xm_cyber.entity_inventory.ec2private_ip_address + - xm_cyber.entity_inventory.ec2public_ip_address + - xm_cyber.entity_inventory.redshift_cluster_private_ipaddress + - xm_cyber.entity_inventory.redshift_cluster_public_ipaddress + - xm_cyber.entity_inventory.ipv4str + - xm_cyber.entity_inventory.entity_details.mac_addresses + # ----- cloud.* sources ----- + - xm_cyber.entity_inventory.account_id + - xm_cyber.entity_inventory.account_name + - xm_cyber.entity_inventory.region + - xm_cyber.entity_inventory.availability_zone + - xm_cyber.entity_inventory.cloud_provider + - xm_cyber.entity_inventory.ec2instance_id + - xm_cyber.entity_inventory.instance_id + # ----- orchestrator.* sources ----- + - xm_cyber.entity_inventory.cluster_name + - xm_cyber.entity_inventory.cluster_unique_id + - xm_cyber.entity_inventory.namespace + # ----- user.* sources ----- + - xm_cyber.entity_inventory.aws_user_name + - xm_cyber.entity_inventory.user_name + - xm_cyber.entity_inventory.iam_unique_id + - xm_cyber.entity_inventory.sid + - xm_cyber.entity_inventory.distinguished_name + # ----- service.* sources ----- + - xm_cyber.entity_inventory.engine + - xm_cyber.entity_inventory.lambda_runtime + - xm_cyber.entity_inventory.engine_version + # ----- event.* / organization.* / @timestamp / related.hash sources ----- + - xm_cyber.entity_inventory.id + - xm_cyber.entity_inventory.organization_id + - xm_cyber.entity_inventory.xm_update_time + - xm_cyber.entity_inventory.password_hash + # ----- tags source ----- + - xm_cyber.entity_inventory.tags_str + + # ----- Drop null/empty leaf values from the document ----- + - script: + tag: script_to_drop_null_values + description: Drop null/empty leaf values from the document. + lang: painless + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + + - append: + tag: append_preserve_on_collector_error + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null + - set: + tag: set_pipeline_error_to_event_kind + field: event.kind + value: pipeline_error + if: ctx.error?.message != null + +on_failure: + - append: + tag: pipeline_on_failure_error_message + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + tag: set_pipeline_error_to_event_kind + field: event.kind + value: pipeline_error + - append: + tag: pipeline_on_failure_preserve_original + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/xm_cyber/data_stream/entity_inventory/fields/base-fields.yml b/packages/xm_cyber/data_stream/entity_inventory/fields/base-fields.yml new file mode 100644 index 00000000000..2e8df0d7231 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: xm_cyber +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: xm_cyber.entity_inventory +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/xm_cyber/data_stream/entity_inventory/fields/beats.yml b/packages/xm_cyber/data_stream/entity_inventory/fields/beats.yml new file mode 100644 index 00000000000..3382e376e77 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of filebeat input. diff --git a/packages/xm_cyber/data_stream/entity_inventory/fields/ecs.yml b/packages/xm_cyber/data_stream/entity_inventory/fields/ecs.yml new file mode 100644 index 00000000000..f70c3ad1ce1 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/fields/ecs.yml @@ -0,0 +1,9 @@ +# Define ECS constant fields as constant_keyword +- name: observer.product + external: ecs + type: constant_keyword + value: Continuous Exposure Management +- name: observer.vendor + external: ecs + type: constant_keyword + value: XM Cyber diff --git a/packages/xm_cyber/data_stream/entity_inventory/fields/fields.yml b/packages/xm_cyber/data_stream/entity_inventory/fields/fields.yml new file mode 100644 index 00000000000..7f57ff50cf3 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/fields/fields.yml @@ -0,0 +1,1182 @@ +- name: xm_cyber + type: group + fields: + - name: entity_inventory + type: group + fields: + - name: account_id + type: keyword + description: AWS account identifier associated with the entity. + - name: account_name + type: keyword + description: AWS account name associated with the entity. + - name: agent_type + type: keyword + description: Type of XM Cyber agent reporting the entity (when applicable). + - name: agent_version_str + type: keyword + description: XM Cyber agent version reported as a single string (e.g. 1.8.210). + - name: agent_version + type: group + fields: + - name: major + type: long + description: Agent version major component. + - name: minor + type: long + description: Agent version minor component. + - name: patch + type: long + description: Agent version patch component. + - name: arch + type: keyword + description: Hardware architecture reported for the entity. + - name: arn + type: keyword + description: AWS resource ARN associated with the entity. + - name: aws_tags + type: flattened + description: AWS tags attached to the entity (array of key/value pairs). + - name: category + type: keyword + description: Vendor category classification for the entity. + - name: cm_id + type: keyword + description: Configuration management identifier for the entity. + - name: connection_counter + type: long + description: Number of times the entity has connected to XM Cyber. + - name: custom_properties + type: group + fields: + - name: custom_labels + type: flattened + description: User-defined labels attached to the entity. + - name: domain_workgroup + type: group + fields: + - name: data + type: keyword + description: Domain or workgroup name. + - name: type + type: keyword + description: Discriminator (e.g., domain, workgroup). + - name: hardware_info + type: group + fields: + - name: cpu_core_count + type: long + description: Number of CPU cores reported for the host. + - name: cpu_count + type: long + description: Number of CPUs reported for the host. + - name: cpu_manufacturer + type: keyword + description: CPU manufacturer string. + - name: cpu_processor_type + type: keyword + description: CPU processor type string. + - name: cpu_speed_mhz + type: long + description: CPU speed in MHz. + - name: system_manufacturer + type: keyword + description: System manufacturer string. + - name: system_model + type: keyword + description: System model string. + - name: total_ram_mb + type: keyword + description: Total RAM in MB as reported by the vendor (string). + - name: labels + type: flattened + description: Vendor-managed labels attached to the entity. + - name: mac_addresses + type: keyword + description: MAC addresses reported for the entity. + - name: ou_computer + type: keyword + description: Organisational unit path for the computer object. + - name: ou_user + type: keyword + description: Organisational unit path for the user object. + - name: sniffer_status + type: keyword + description: Current sniffer status string. + - name: sniffer_status_changeable + type: boolean + description: Whether the sniffer status is user-changeable. + - name: sniffer_status_configuration + type: keyword + description: Sniffer status configuration string. + - name: subnet_info + type: keyword + description: Subnet information string when reported. + - name: customer_id + type: keyword + description: XM Cyber customer identifier. + - name: disabled + type: boolean + description: Whether the entity is disabled. + - name: disabled_changed_at + type: date + description: Time at which the disabled state last changed. + - name: disabled_reason + type: keyword + description: Reason the entity was disabled. + - name: display_name + type: keyword + description: Human-readable display name for the entity. + - name: domain_name + type: keyword + description: Domain name associated with the entity when reported. + - name: entity_details + type: group + fields: + - name: id + type: keyword + description: Inner entity details identifier. + - name: is_asset + type: boolean + description: Whether the inner entity is marked as a critical asset. + - name: name + type: keyword + description: Inner entity details name. + - name: sub_type + type: keyword + description: Inner entity details subtype value. + - name: sub_type_display_name + type: keyword + description: Inner entity details subtype display label. + - name: entity_type + type: keyword + description: Entity type discriminator (e.g., agent, azureUser, awsSsmParameter). + - name: first_seen + type: date + description: First observation time reported for the entity. + - name: has_matching_sid + type: boolean + description: Whether the entity has a matching SID in another directory source. + - name: has_update_available + type: boolean + description: Whether an update is available for the entity (e.g., agent upgrade). + - name: id + type: keyword + description: Vendor-provided unique identifier for the entity record. + - name: imported_labels + type: keyword + description: Imported labels associated with the entity. + - name: installation_id + type: keyword + description: Installation identifier reported for the entity. + - name: ipv4 + type: keyword + description: IPv4 addresses reported for the entity as strings. + - name: ipv4_buffer + type: group + fields: + - name: data + type: long + description: IPv4 address data as an array of integers. + - name: type + type: keyword + description: Buffer indicator value, typically "Buffer". + - name: ipv4num + type: long + description: IPv4 addresses reported for the entity as 32-bit integers. + - name: ipv4str + type: ip + description: IPv4 addresses reported for the entity as strings. + - name: ipv6 + type: keyword + description: IPv6 addresses reported for the entity. + - name: ipv6_buffer + type: group + fields: + - name: data + type: long + description: IPv6 address data as an array of integers. + - name: type + type: keyword + description: Buffer indicator value, typically "Buffer". + - name: ipv6str + type: ip + description: IPv6 addresses reported for the entity as strings. + - name: kms_key_aliases + type: keyword + description: KMS key alias names associated with the entity. + - name: kms_key_creation_date + type: date + description: Time at which the KMS key was created. + - name: kms_key_description + type: keyword + description: KMS key description string. + - name: kms_key_manager + type: keyword + description: KMS key manager (e.g., AWS, CUSTOMER). + - name: kms_key_origin + type: keyword + description: KMS key origin (e.g., AWS_KMS, EXTERNAL). + - name: kms_key_state + type: keyword + description: Current KMS key state. + - name: kms_key_usage + type: keyword + description: KMS key usage (e.g., ENCRYPT_DECRYPT, SIGN_VERIFY). + - name: labels + type: flattened + description: Vendor labels attached to the entity (array of id/type pairs). + - name: last_connection_time + type: date + description: Last time the entity (typically a managed device) connected to XM Cyber. + - name: last_disconnection_reason + type: keyword + description: Reason the entity last disconnected. + - name: last_reboot_time + type: date + description: Last reboot time reported for the entity. + - name: last_status_change + type: date + description: Time of the most recent status change for the entity. + - name: last_updated_at + type: date + description: Time at which the entity record was last updated by XM Cyber. + - name: latest_possible_agent_version_str + type: keyword + description: Latest agent version available for the entity as a string. + - name: latest_possible_agent_version + type: group + fields: + - name: major + type: long + description: Latest possible agent version major component. + - name: minor + type: long + description: Latest possible agent version minor component. + - name: patch + type: long + description: Latest possible agent version patch component. + - name: build + type: long + description: Build (e.g. 0). + - name: machine_id + type: keyword + description: Vendor machine identifier when reported. + - name: metadata + type: flattened + description: Metadata associated with the entity. + - name: name + type: keyword + description: Vendor name of the entity (hostname for devices, principal name for identities, etc.). + - name: name_uppercase + type: keyword + description: Entity name normalised to uppercase for case-insensitive matching. + - name: not_included_in_attacks + type: boolean + description: Whether the entity is excluded from attack-path simulations. + - name: organization_id + type: keyword + description: XM Cyber organization identifier. + - name: os + type: group + fields: + - name: distribution_name + type: keyword + description: OS distribution name (e.g., centos, ubuntu). + - name: distribution_version + type: keyword + description: OS distribution version string. + - name: name + type: keyword + description: Full OS name string as reported by XM Cyber. + - name: service_pack + type: group + fields: + - name: build + type: long + description: OS service pack build component. + - name: major + type: long + description: OS service pack major component. + - name: minor + type: long + description: OS service pack minor component. + - name: patch + type: long + description: OS service pack patch component. + - name: version + type: group + fields: + - name: build + type: long + description: OS version build component. + - name: major + type: long + description: OS version major component. + - name: minor + type: long + description: OS version minor component. + - name: patch + type: long + description: OS version patch component. + - name: os_type + type: keyword + description: Top-level OS type discriminator string. + - name: product_type + type: keyword + description: Vendor product type string. + - name: region + type: keyword + description: Cloud region associated with the entity. + - name: remote_address + type: keyword + description: Remote address reported for the entity. + - name: rule_display_name + type: keyword + description: Display name of the matching rule when reported. + - name: secret_description + type: keyword + description: Description of the AWS Secrets Manager secret. + - name: secret_kms_key_id + type: keyword + description: KMS key identifier protecting the secret. + - name: security_flags + type: flattened + description: Security flags reported for the entity. + - name: security_flags_for_display + type: group + fields: + - name: expires + type: keyword + description: Expiration value of the security flag, if any. + - name: key + type: keyword + description: Security flag key. + - name: reason + type: keyword + description: Security flag reason. + - name: south_owner + type: keyword + description: South component owner identifier when reported. + - name: ssm_parameter_data_type + type: keyword + description: SSM parameter data type. + - name: ssm_parameter_description + type: keyword + description: SSM parameter description. + - name: ssm_parameter_key_id + type: keyword + description: KMS key id used to encrypt the SSM parameter. + - name: ssm_parameter_last_modified_date + type: date + description: Last modification time of the SSM parameter. + - name: ssm_parameter_last_modified_user + type: keyword + description: User who last modified the SSM parameter. + - name: ssm_parameter_name + type: keyword + description: SSM parameter name. + - name: ssm_parameter_tier + type: keyword + description: SSM parameter tier. + - name: ssm_parameter_type + type: keyword + description: SSM parameter type (String, StringList, SecureString). + - name: ssm_parameter_version + type: long + description: SSM parameter version number. + - name: status + type: keyword + description: Entity operational status string when reported. + - name: tags_str + type: keyword + description: Vendor-provided tags reported as plain strings. + - name: time_to_revive_at + type: date + description: Time at which the entity is scheduled to be revived. + - name: type + type: keyword + description: Vendor type discriminator returned alongside `entity_type`. + - name: type_display_name + type: keyword + description: Human-readable label for `type`. + - name: use_type + type: keyword + description: Vendor `useType` discriminator. + - name: xm_labels + type: flattened + description: XM Cyber managed labels attached to the entity. + - name: xm_provider_account + type: keyword + description: XM Cyber provider account identifier. + - name: xm_update_time + type: date + description: Time at which XM Cyber last updated the entity record. + - name: access_key_creation_date + type: date + description: Access key creation date (e.g. 2024-10-01T10:06:58.000Z). + - name: activity_period + type: keyword + description: 'Activity period (e.g. Inactive: Never Used).' + - name: architecture + type: keyword + description: Architecture (e.g. amd64). + - name: availability_zone + type: keyword + description: Availability zone (e.g. us-east-1b). + - name: aws_user_name + type: keyword + description: Aws user name (e.g. xmcyber-eldar-arn-iam-user-sts-QRc9n12OTGiq). + - name: behavior_version + type: keyword + description: Behavior version (e.g. 7). + - name: boot_id + type: keyword + description: Boot id (e.g. 004c6ece-9317-40e7-9a15-d24df7709df0). + - name: canonical_name + type: keyword + description: Canonical name (e.g. vpn.Corporate.xm/). + - name: cloud_provider + type: keyword + description: Cloud provider (e.g. UNSUPPORTED_CLOUD_PROVIDER). + - name: cluster_name + type: keyword + description: Cluster name (e.g. udoawsk8s). + - name: cluster_role_rules + type: group + fields: + - name: api_groups + type: keyword + description: Api groups (e.g. ["authorization.k8s.io"]). + - name: non_resource_urls + type: keyword + description: Non resource urls (e.g. ["/version/", "/apis/*", "/openapi", "/api", "/version", "/livez", "/apis", "/re). + - name: resource_names + type: keyword + description: Resource names (e.g. ["kubernetes.io/kube-apiserver-client"]). + - name: resources + type: keyword + description: Resources (e.g. ["localsubjectaccessreviews"]). + - name: verbs + type: keyword + description: Verbs (e.g. ["create"]). + - name: cluster_role_rules_to_display + type: keyword + description: 'Cluster role rules to display (e.g. [ { "apiGroups": [ "authorization.k8s.io" ], "resources": [ ).' + - name: cluster_unique_id + type: keyword + description: Cluster unique id (e.g. 0617e36e156eacec443c98be905fb028ff739448fb763421528f2034ea3058a8). + - name: comments + type: flattened + description: Comments (e.g. []). + - name: container_runtime_version + type: keyword + description: Container runtime version (e.g. containerd://2.1.5-k3s1.33). + - name: create_time + type: date + description: Create time (e.g. 2026-03-02T18:36:07.000Z). + - name: created + type: date + description: Created (e.g. 2025-09-24T10:10:32.413Z). + - name: created_by + type: keyword + description: Created by (e.g. arn:aws:sts::908522078858:assumed-role/AWSReservedSSO_AdministratorAccess_a84c80). + - name: created_date + type: date + description: Created date (e.g. 2022-08-03T07:44:06.000Z). + - name: creation_timestamp + type: date + description: Creation timestamp (e.g. 2025-12-04T14:10:01.000Z). + - name: cred_type + type: keyword + description: Cred type (e.g. NTLM_HASH). + - name: default_version + type: boolean + description: Default version (e.g. True). + - name: deployment_type + type: keyword + description: Deployment type (e.g. ReplicaSet). + - name: distinguished_name + type: keyword + description: Distinguished name (e.g. DC=vpn,DC=Corporate,DC=xm). + - name: dns_host_name + type: keyword + description: Dns host name (e.g. vpndc.vpn.Corporate.xm). + - name: dns_policy + type: keyword + description: Dns policy (e.g. ClusterFirst). + - name: domain_owner + type: keyword + description: Domain owner (e.g. 908522078858). + - name: domain_sid + type: keyword + description: Domain sid (e.g. S-1-5-21-3955220616-103436932-1560667138). + - name: dynamo_db_table_creation_date_time + type: date + description: Dynamo db table creation date time (e.g. 2021-10-26T07:59:54.362Z). + - name: dynamo_db_table_item_count + type: long + description: Dynamo db table item count (e.g. 0). + - name: dynamo_db_table_size_bytes + type: long + description: Dynamo db table size bytes (e.g. 0). + - name: ebs_volume_attachments + type: group + fields: + - name: attach_time + type: date + description: Attach time (e.g. 2026-03-18T14:45:23.000Z). + - name: delete_on_termination + type: boolean + description: Delete on termination (e.g. True). + - name: device + type: keyword + description: Device (e.g. /dev/sdb). + - name: ebs_card_index + type: long + description: Ebs card index (e.g. 0). + - name: instance_id + type: keyword + description: Instance id (e.g. i-0e03149a06907c827). + - name: state + type: keyword + description: State (e.g. attached). + - name: volume_id + type: keyword + description: Volume id (e.g. vol-00073da63bfe48dad). + - name: ebs_volume_create_time + type: date + description: Ebs volume create time (e.g. 2026-03-18T14:45:23.445Z). + - name: ebs_volume_id + type: keyword + description: Ebs volume id (e.g. vol-00073da63bfe48dad). + - name: ebs_volume_iops + type: long + description: Ebs volume iops (e.g. 100). + - name: ebs_volume_kms_key_id + type: keyword + description: Ebs volume kms key id (e.g. arn:aws:kms:us-east-1:908522078858:key/7a079e1f-3b2b-427c-9a03-a6471d754d36). + - name: ebs_volume_multi_attach_enabled + type: boolean + description: Ebs volume multi attach enabled (e.g. False). + - name: ebs_volume_size + type: long + description: Ebs volume size (e.g. 32). + - name: ebs_volume_snapshot_id + type: keyword + description: Ebs volume snapshot id (e.g. snap-02b09548e23285e0b). + - name: ebs_volume_volume_type + type: keyword + description: Ebs volume volume type (e.g. gp2). + - name: ec2auto_scale_group + type: keyword + description: Ec2auto scale group (e.g. No AutoScale). + - name: ec2instance_id + type: keyword + description: Ec2instance id (e.g. i-00d0af67458cb4d24). + - name: ec2internet_access_via_lb + type: keyword + description: Ec2internet access via lb (e.g. No). + - name: ec2internet_access_via_vpc + type: keyword + description: Ec2internet access via vpc (e.g. Yes). + - name: ec2key_name + type: keyword + description: Ec2key name (e.g. Itay-key). + - name: ec2private_ip_address + type: ip + description: Ec2private ip address (e.g. 192.168.2.102). + - name: ec2public_ip_address + type: ip + description: Ec2public ip address (e.g. 3.69.20.107). + - name: ec2security_groups + type: group + fields: + - name: group_id + type: keyword + description: Group id (e.g. sg-08415938e0f0debf7). + - name: group_name + type: keyword + description: Group name (e.g. itay-subnet2-SecurityGroup). + - name: ec2subnet_id + type: keyword + description: Ec2subnet id (e.g. subnet-01b0888a263591ac6). + - name: ec2tags + type: group + fields: + - name: key + type: keyword + description: Key (e.g. Name). + - name: value + type: keyword + description: Value (e.g. win11). + - name: ec2vpc_id + type: keyword + description: Ec2vpc id (e.g. vpc-0e9f502a4d1b70878). + - name: ecr_repository_arn + type: keyword + description: Ecr repository arn (e.g. arn:aws:ecr:ca-central-1:302823744532:repository/xm-cyber). + - name: ecr_repository_creation_date + type: date + description: Ecr repository creation date (e.g. 2024-05-16T14:21:23.373Z). + - name: ecr_repository_image_scanning_on_push + type: boolean + description: Ecr repository image scanning on push (e.g. False). + - name: ecr_repository_image_tag_mutability + type: keyword + description: Ecr repository image tag mutability (e.g. IMMUTABLE). + - name: ecr_repository_images + type: group + fields: + - name: artifact_media_type + type: keyword + description: Artifact media type (e.g. application/vnd.docker.container.image.v1+json). + - name: image_digest + type: keyword + description: Image digest (e.g. sha256:4576dc9c5c25b82b3c9af9e015772bef0d1885c65af40ee57635efa27762fbc7). + - name: image_manifest_media_type + type: keyword + description: Image manifest media type (e.g. application/vnd.docker.distribution.manifest.v2+json). + - name: image_pushed_at + type: date + description: Image pushed at (e.g. 2024-07-01T10:43:58.000Z). + - name: image_size_in_bytes + type: long + description: Image size in bytes (e.g. 87302242). + - name: image_status + type: keyword + description: Image status (e.g. ACTIVE). + - name: image_tags + type: keyword + description: Image tags (e.g. ["pr-148"]). + - name: last_recorded_pull_time + type: date + description: Last recorded pull time (e.g. 2026-05-06T23:37:16.835Z). + - name: registry_id + type: keyword + description: Registry id (e.g. 908522078858). + - name: repository_name + type: keyword + description: Repository name (e.g. xm-mgmt-pr-api-keys-manager). + - name: ecr_repository_name + type: keyword + description: Ecr repository name (e.g. xm-cyber). + - name: ecr_repository_registry_id + type: keyword + description: Ecr repository registry id (e.g. 302823744532). + - name: ecr_repository_uri + type: keyword + description: Ecr repository uri (e.g. 302823744532.dkr.ecr.ca-central-1.amazonaws.com/xm-cyber). + - name: elasticache_cache_cache_security_groups + type: long + description: Elasticache cache cache security groups (e.g. 0). + - name: elasticache_cache_cluster_auth_token + type: boolean + description: Elasticache cache cluster auth token (e.g. False). + - name: elasticache_cache_cluster_create_time + type: date + description: Elasticache cache cluster create time (e.g. 2026-02-18T08:35:45.012Z). + - name: elasticache_cache_cluster_id + type: keyword + description: Elasticache cache cluster id (e.g. redis-maor-0002-002). + - name: elasticache_cache_cluster_num_cache_nodes + type: long + description: Elasticache cache cluster num cache nodes (e.g. 1). + - name: elasticache_cache_cluster_preferred_availability_zone + type: keyword + description: Elasticache cache cluster preferred availability zone (e.g. eu-west-1b). + - name: elasticache_cache_cluster_transit_encryption + type: boolean + description: Elasticache cache cluster transit encryption (e.g. True). + - name: elasticache_cache_cluster_vpc_id + type: keyword + description: Elasticache cache cluster vpc id (e.g. vpc-6e8b8708). + - name: elasticache_cache_node_type + type: keyword + description: Elasticache cache node type (e.g. cache.r7g.xlarge). + - name: elasticache_cache_parameter_group_name + type: keyword + description: Elasticache cache parameter group name (e.g. default.redis7.cluster.on). + - name: elasticache_cache_security_groups + type: long + description: Elasticache cache security groups (e.g. 1). + - name: elasticache_cache_subnet_group_name + type: keyword + description: Elasticache cache subnet group name (e.g. maor). + - name: elb_v2load_balancer_name + type: keyword + description: Elb v2load balancer name (e.g. xmcyber-97kjg-ext). + - name: elb_v2target_group_name + type: keyword + description: Elb v2target group name (e.g. xmcyber-97kjg-aext). + - name: encryption + type: boolean + description: Encryption (e.g. True). + - name: encryption_key + type: keyword + description: Encryption key (e.g. arn:aws:kms:us-east-1:908522078858:alias/aws/s3). + - name: encryption_type + type: keyword + description: Encryption type (e.g. AES256). + - name: endpoint_address + type: keyword + description: Endpoint address (e.g. redshift-cluster.c8ri4vjslsze.us-west-1.redshift.amazonaws.com). + - name: endpoint_port + type: long + description: Endpoint port (e.g. 5439). + - name: engine + type: keyword + description: Engine (e.g. redis). + - name: engine_version + type: keyword + description: Engine version (e.g. 7.1.0). + - name: environment_image + type: keyword + description: Environment image (e.g. aws/codebuild/amazonlinux-x86_64-standard:5.0). + - name: environment_type + type: keyword + description: Environment type (e.g. LINUX_CONTAINER). + - name: expire_at + type: date + description: Expire at (e.g. 2026-07-05T10:41:14.000Z). + - name: fqdn + type: keyword + description: Fqdn (e.g. vpndc.vpn.Corporate.xm). + - name: gp_link + type: keyword + description: Gp link (e.g. [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vpn,D). + - name: guid + type: keyword + description: Guid (e.g. {C624BD51-11AA-4646-BD13-C752853BD2DA}). + - name: host_ip + type: ip + description: Host ip (e.g. 192.168.5.97). + - name: iam_unique_id + type: keyword + description: Iam unique id (e.g. AROA5HCBCYKFFYRQOIDLG). + - name: image_pull_secrets_name + type: keyword + description: Image pull secrets name (e.g. ["xm-dockerhub-secret"]). + - name: image_pull_secrets_name_to_display + type: keyword + description: Image pull secrets name to display (e.g. [ null ]). + - name: images + type: keyword + description: Images (e.g. [ "xmcyber/sensor:1.50.1" ]). + - name: images_to_display + type: keyword + description: Images to display (e.g. [ "docker.io/rancher/mirrored-metrics-server@sha256:89258156d0e9af60403eafd44d). + - name: instance_id + type: keyword + description: Instance id (e.g. i-00d0af67458cb4d24). + - name: is_highly_privileged + type: boolean + description: Is highly privileged (e.g. False). + - name: is_mfaenabled + type: boolean + description: Is mfaenabled (e.g. False). + - name: is_owner + type: keyword + description: Is owner (e.g. No). + - name: is_public + type: boolean + description: Is public (e.g. True). + - name: is_running + type: boolean + description: Is running (e.g. False). + - name: is_valid + type: boolean + description: Is valid (e.g. True). + - name: is_watched + type: boolean + description: Is watched (e.g. False). + - name: kernel_version + type: keyword + description: Kernel version (e.g. 6.17.5-200.fc42.x86_64). + - name: kube_proxy_version + type: keyword + description: Kube proxy version (e.g. ). + - name: kubelet_version + type: keyword + description: Kubelet version (e.g. v1.33.6+k3s1). + - name: kubernetes_annotations + type: keyword + description: Kubernetes annotations (e.g. {}). + - name: kubernetes_labels + type: keyword + description: 'Kubernetes labels (e.g. ["name: xm-sensor", "app.kubernetes.io/instance: xmcyber-sensor", "pod-template-).' + - name: lambda_description + type: keyword + description: Lambda description (e.g. dddd). + - name: lambda_runtime + type: keyword + description: Lambda runtime (e.g. nodejs20.x). + - name: lambda_version + type: keyword + description: Lambda version (e.g. $LATEST). + - name: last_activity_date + type: date + description: Last activity date (e.g. 2025-04-03T22:20:42.000Z). + - name: last_modified + type: date + description: Last modified (e.g. 2025-09-24T10:10:32.413Z). + - name: last_running_time + type: date + description: Last running time (e.g. 2026-05-06T09:05:15.079Z). + - name: launch_template_id + type: keyword + description: Launch template id (e.g. lt-056da5bfafc08dfb7). + - name: launch_template_name + type: keyword + description: Launch template name (e.g. shani). + - name: machine_account_quota + type: long + description: Machine account quota (e.g. 10). + - name: namespace + type: keyword + description: Namespace (e.g. haxm). + - name: node_images + type: group + fields: + - name: names + type: keyword + description: Names (e.g. ["docker.io/rancher/mirrored-metrics-server@sha256:89258156d0e9af60403eafd44da96). + - name: size_in_bytes + type: long + description: Size in bytes (e.g. 22493802). + - name: node_name + type: keyword + description: Node name (e.g. udoawslinux03.eu-north-1.compute.internal). + - name: nodes_in_node_group_count + type: long + description: Nodes in node group count (e.g. 0). + - name: not_reported_by_south_at + type: keyword + description: Not reported by south at (e.g. null). + - name: object_class + type: keyword + description: Object class (e.g. domainDNS). + - name: os_image + type: keyword + description: Os image (e.g. Fedora Linux 42 (Adams)). + - name: os_version_str + type: keyword + description: Os version str (e.g. 10.0.19045). + - name: owner_references + type: group + fields: + - name: block_owner_deletion + type: boolean + description: Block owner deletion (e.g. True). + - name: controller + type: boolean + description: Controller (e.g. True). + - name: kind + type: keyword + description: Kind (e.g. ReplicaSet). + - name: name + type: keyword + description: Name (e.g. xmcyber-sensor-85f5586455). + - name: uid + type: keyword + description: Uid (e.g. 8c5aa788-5284-4807-a918-f1d3d9445c7f). + - name: owner_references_to_display + type: keyword + description: 'Owner references to display (e.g. [ { "blockOwnerDeletion": true, "controller": true, "kind": "Repli).' + - name: password_hash + type: keyword + description: Password hash (e.g. 147317149651d67246e5e5f0de7f72b6c26ee1855f5eb10d33ace6df8adb6ed39742f1523b7e9613). + - name: pod_ip + type: ip + description: Pod ip (e.g. 10.42.0.10). + - name: public + type: boolean + description: Public (e.g. False). + - name: redshift_cluster_availability_status + type: keyword + description: Redshift cluster availability status (e.g. Available). + - name: redshift_cluster_cluster_version + type: keyword + description: Redshift cluster cluster version (e.g. 1.0). + - name: redshift_cluster_create_time + type: date + description: Redshift cluster create time (e.g. 2025-11-10T09:42:02.804Z). + - name: redshift_cluster_db_name + type: keyword + description: Redshift cluster db name (e.g. dev). + - name: redshift_cluster_identifier + type: keyword + description: Redshift cluster identifier (e.g. redshift-cluster). + - name: redshift_cluster_number_of_nodes + type: long + description: Redshift cluster number of nodes (e.g. 1). + - name: redshift_cluster_private_ipaddress + type: ip + description: Redshift cluster private ipaddress (e.g. 10.0.1.198). + - name: redshift_cluster_public_ipaddress + type: ip + description: Redshift cluster public ipaddress (e.g. 52.8.99.248). + - name: redshift_cluster_subnet_group_name + type: keyword + description: Redshift cluster subnet group name (e.g. discoverandresetpasswordnotpublicredshiftwithreachableec2-redshiftvpcsubnetgroup). + - name: redshift_cluster_vpc_id + type: keyword + description: Redshift cluster vpc id (e.g. vpc-05de6e857850c05f3). + - name: repository_name + type: keyword + description: Repository name (e.g. test). + - name: resource_version + type: keyword + description: Resource version (e.g. 1070). + - name: restart_policy + type: keyword + description: Restart policy (e.g. Always). + - name: role_description + type: keyword + description: Role description (e.g. Allows EC2 instances to call AWS services on your behalf.). + - name: role_max_session_duration + type: long + description: Role max session duration (e.g. 3600). + - name: rules + type: group + fields: + - name: api_groups + type: keyword + description: Api groups (e.g. [""]). + - name: resource_names + type: keyword + description: Resource names (e.g. ["kube-controller-manager"]). + - name: resources + type: keyword + description: Resources (e.g. ["configmaps"]). + - name: verbs + type: keyword + description: Verbs (e.g. ["watch"]). + - name: rules_to_display + type: keyword + description: 'Rules to display (e.g. [ { "apiGroups": [ "" ], "resources": [ "configmaps" ).' + - name: secret_names + type: keyword + description: Secret names (e.g. []). + - name: secret_rotation_lambda_arn + type: keyword + description: Secret rotation lambda arn (e.g. arn:aws:lambda:eu-west-1:908522078858:function:orisRotation). + - name: secret_type + type: keyword + description: Secret type (e.g. helm.sh/release.v1). + - name: security_context + type: keyword + description: 'Security context (e.g. { "fsGroup": 1031, "runAsNonRoot": true, "runAsUser": 1031, "seccompProf).' + - name: security_group_name + type: keyword + description: Security group name (e.g. vulnerable-sg-0cb516b). + - name: service_account + type: keyword + description: Service account (e.g. xm-service-account). + - name: service_account_name + type: keyword + description: Service account name (e.g. xm-service-account). + - name: service_role + type: keyword + description: Service role (e.g. arn:aws:iam::908522078858:role/service-role/codebuild-yadgartest-service-role). + - name: service_spec + type: group + fields: + - name: allocate_load_balancer_node_ports + type: boolean + description: Allocate load balancer node ports (e.g. True). + - name: cluster_ip + type: ip + description: Cluster ip (e.g. 10.43.227.17). + - name: cluster_ips + type: ip + description: Cluster ips (e.g. ["10.43.227.17"]). + - name: external_ips + type: keyword + description: External ips (e.g. []). + - name: external_name + type: keyword + description: External name (e.g. ). + - name: external_traffic_policy + type: keyword + description: External traffic policy (e.g. Cluster). + - name: health_check_node_port + type: long + description: Health check node port (e.g. 0). + - name: internal_traffic_policy + type: keyword + description: Internal traffic policy (e.g. Cluster). + - name: ip_families + type: keyword + description: Ip families (e.g. ["IPv4"]). + - name: ip_family_policy + type: keyword + description: Ip family policy (e.g. PreferDualStack). + - name: load_balancer_class + type: keyword + description: Load balancer class (e.g. ). + - name: load_balancer_ip + type: keyword + description: Load balancer ip (e.g. ). + - name: load_balancer_source_ranges + type: keyword + description: Load balancer source ranges (e.g. []). + - name: ports + type: group + fields: + - name: app_protocol + type: keyword + description: App protocol (e.g. ). + - name: name + type: keyword + description: Name (e.g. web). + - name: node_port + type: long + description: Node port (e.g. 32570). + - name: port + type: long + description: Port (e.g. 80). + - name: protocol + type: keyword + description: Protocol (e.g. TCP). + - name: target_port + type: keyword + description: Target port (e.g. web). + - name: publish_not_ready_addresses + type: boolean + description: Publish not ready addresses (e.g. False). + - name: selector + type: flattened + description: 'Selector (e.g. {"app.kubernetes.io/instance": "traefik-kube-system", "app.kubernetes.io/name": ).' + - name: session_affinity + type: keyword + description: Session affinity (e.g. None). + - name: session_affinity_config + type: group + fields: + - name: client_ip + type: group + fields: + - name: timeout_seconds + type: long + description: Timeout seconds (e.g. 0). + - name: type + type: keyword + description: Type (e.g. LoadBalancer). + - name: sid + type: keyword + description: Sid (e.g. S-1-5-21-3955220616-103436932-1560667138). + - name: spec + type: group + fields: + - name: controller + type: keyword + description: Controller (e.g. traefik.io/ingress-controller). + - name: parameters + type: group + fields: + - name: group + type: keyword + description: Group (e.g. ). + - name: kind + type: keyword + description: Kind (e.g. ). + - name: name + type: keyword + description: Name (e.g. ). + - name: namespace + type: keyword + description: Namespace (e.g. ). + - name: sqs_queue_arn + type: keyword + description: Sqs queue arn (e.g. arn:aws:sqs:us-east-1:908522078858:roi-yadgar-queue). + - name: sqs_queue_created_timestamp + type: keyword + description: Sqs queue created timestamp (e.g. 1735769555). + - name: sqs_queue_last_modified_date + type: date + description: Sqs queue last modified date (e.g. 1970-01-21T02:09:29.642Z). + - name: sqs_queue_last_modified_timestamp + type: keyword + description: Sqs queue last modified timestamp (e.g. 1735769642). + - name: sqs_queue_name + type: keyword + description: Sqs queue name (e.g. roi-yadgar-queue). + - name: sqs_queue_url + type: keyword + description: Sqs queue url (e.g. https://sqs.us-east-1.amazonaws.com/908522078858/roi-yadgar-queue). + - name: state + type: keyword + description: State (e.g. In-use). + - name: system_uuid + type: keyword + description: System uuid (e.g. a3a7d001-bc73-48bd-0609-c63b9d59ff7d). + - name: top_owner_name + type: keyword + description: Top owner name (e.g. xmcyber-sensor). + - name: uid + type: keyword + description: Uid (e.g. 27c684bf-90ea-40c2-8e61-65e5f4156b2b). + - name: user_access_keys_count + type: long + description: User access keys count (e.g. 0). + - name: user_name + type: keyword + description: User name (e.g. wdagutilityaccount). + - name: version_number + type: long + description: Version number (e.g. 1). + - name: vpc_config + type: group + fields: + - name: ipv6allowed_for_dual_stack + type: boolean + description: Ipv6allowed for dual stack (e.g. False). + - name: security_group_ids + type: keyword + description: Security group ids (e.g. []). + - name: subnet_ids + type: keyword + description: Subnet ids (e.g. []). + - name: vpc_id + type: keyword + description: Vpc id (e.g. ). + - name: when_created + type: date + description: When created (e.g. 2020-03-27T20:42:23.000Z). + - name: xm_mongo_update_time + type: date + description: Xm mongo update time (e.g. 2026-05-06T10:43:14.469Z). + - name: yaml_representation + type: keyword + description: 'Yaml representation (e.g. metadata: annotations: meta.helm.sh/release-name: "traefik" meta.helm.).' +- name: host + type: group + fields: + - name: entity + type: group + fields: + - name: lifecycle + type: group + fields: + - name: last_activity + type: date + description: Timestamp of the most recent action performed by or attributed to this entity (active use) +- name: user + type: group + fields: + - name: entity + type: group + fields: + - name: lifecycle + type: group + fields: + - name: last_activity + type: date + description: Timestamp of the most recent action performed by or attributed to this entity (active use). + - name: attributes + type: group + fields: + - name: mfa_enabled + type: boolean + description: Indicates whether multi-factor authentication is enabled for this entity. diff --git a/packages/xm_cyber/data_stream/entity_inventory/manifest.yml b/packages/xm_cyber/data_stream/entity_inventory/manifest.yml new file mode 100644 index 00000000000..8d813c9f124 --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/manifest.yml @@ -0,0 +1,61 @@ +title: Entity Inventory +type: logs +streams: + - input: cel + title: Entity Inventory + description: Collect Entity Inventory logs from XM Cyber. + template_path: cel.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: How often to poll the XM Cyber Entity Inventory API. Supported time units are s, m, h. + required: true + show_user: true + default: 24h + - name: page_size + type: integer + title: Page size + description: Number of entity inventory records to request per page. + required: true + show_user: false + default: 1000 + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before the HTTP client request times out (e.g. 60s). + required: true + show_user: false + default: 60s + - name: enable_request_tracer + type: bool + title: Enable request tracing + description: Log HTTP request/response traces to the agent for debugging. Do not enable in production. + required: false + show_user: false + default: false + - name: tags + type: text + title: Tags + description: Tags to add to every collected event. + multi: true + required: true + show_user: true + default: + - forwarded + - xm_cyber-entity_inventory + - name: preserve_original_event + type: bool + title: Preserve original event + description: Keep a copy of the raw event in `event.original`. + required: true + show_user: true + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/xm_cyber/data_stream/entity_inventory/sample_event.json b/packages/xm_cyber/data_stream/entity_inventory/sample_event.json new file mode 100644 index 00000000000..6400b27d88f --- /dev/null +++ b/packages/xm_cyber/data_stream/entity_inventory/sample_event.json @@ -0,0 +1,98 @@ +{ + "@timestamp": "2026-05-05T21:05:15.079Z", + "agent": { + "ephemeral_id": "6c1ebfc4-c22b-499c-b0d4-5e5f1e426c06", + "id": "1845b4e9-3751-4e02-b895-a3f1bcf9a334", + "name": "elastic-agent-15257", + "type": "filebeat", + "version": "8.18.0" + }, + "cloud": { + "account": { + "id": "702947630755", + "name": "xm-test3" + }, + "instance": { + "name": "/CodeBuild/accessKeys" + }, + "region": "us-east-1" + }, + "data_stream": { + "dataset": "xm_cyber.entity_inventory", + "namespace": "59138", + "type": "logs" + }, + "ecs": { + "version": "9.3.0" + }, + "elastic_agent": { + "id": "1845b4e9-3751-4e02-b895-a3f1bcf9a334", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "xm_cyber.entity_inventory", + "id": "awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "ingested": "2026-06-18T10:55:25Z", + "kind": "asset", + "original": "{\"accountId\":\"702947630755\",\"accountName\":\"xm-test3\",\"arn\":\"arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys\",\"category\":\"Cloud\",\"customProperties\":{\"domainWorkgroup\":{\"data\":\"AWS/702947630755\",\"type\":\"domain\"},\"ouComputer\":\"AWS/702947630755/us-east-1/SSM/ParameterMetadata\",\"ouUser\":\"AWS/702947630755/SSM/ParameterMetadata\",\"subnetInfo\":\"AWS_702947630755_us-east-1\"},\"disabled\":false,\"displayName\":\"/CodeBuild/accessKeys\",\"entityDetails\":{\"id\":\"awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys\",\"isAsset\":null,\"name\":\"/CodeBuild/accessKeys\",\"subType\":\"awsSsmParameter\",\"subTypeDisplayName\":\"AWS SSM Parameter\"},\"entityType\":\"AwsSsmParameterEntity\",\"id\":\"awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys\",\"name\":\"/CodeBuild/accessKeys\",\"notIncludedInAttacks\":false,\"organizationId\":\"o-wvjziar78j\",\"region\":\"us-east-1\",\"ruleDisplayName\":\"702947630755 / /CodeBuild/accessKeys\",\"ssmParameterDataType\":\"text\",\"ssmParameterKeyId\":\"alias/aws/ssm\",\"ssmParameterLastModifiedDate\":\"2020-07-19T09:53:58.629Z\",\"ssmParameterLastModifiedUser\":\"arn:aws:sts::702947630755:assumed-role/AWSReservedSSO_AdministratorAccess_4b70f7a69b186776/zur@xmcyber.com\",\"ssmParameterName\":\"/CodeBuild/accessKeys\",\"ssmParameterTier\":\"Standard\",\"ssmParameterType\":\"SecureString\",\"ssmParameterVersion\":1,\"status\":\"active\",\"type\":\"awsSsmParameter\",\"typeDisplayName\":\"AWS SSM Parameter\",\"useType\":\"Storage\",\"xmProviderAccount\":\"xm-test3\",\"xmUpdateTime\":\"2026-05-05T21:05:15.079Z\"}" + }, + "input": { + "type": "cel" + }, + "organization": { + "id": "o-wvjziar78j" + }, + "related": { + "hosts": [ + "arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "/CodeBuild/accessKeys" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "xm_cyber-entity_inventory" + ], + "xm_cyber": { + "entity_inventory": { + "arn": "arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "category": "Cloud", + "custom_properties": { + "domain_workgroup": { + "data": "AWS/702947630755", + "type": "domain" + }, + "ou_computer": "AWS/702947630755/us-east-1/SSM/ParameterMetadata", + "ou_user": "AWS/702947630755/SSM/ParameterMetadata", + "subnet_info": "AWS_702947630755_us-east-1" + }, + "disabled": false, + "display_name": "/CodeBuild/accessKeys", + "entity_details": { + "id": "awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "name": "/CodeBuild/accessKeys", + "sub_type": "awsSsmParameter", + "sub_type_display_name": "AWS SSM Parameter" + }, + "entity_type": "AwsSsmParameterEntity", + "name": "/CodeBuild/accessKeys", + "not_included_in_attacks": false, + "rule_display_name": "702947630755 / /CodeBuild/accessKeys", + "ssm_parameter_data_type": "text", + "ssm_parameter_key_id": "alias/aws/ssm", + "ssm_parameter_last_modified_date": "2020-07-19T09:53:58.629Z", + "ssm_parameter_last_modified_user": "arn:aws:sts::702947630755:assumed-role/AWSReservedSSO_AdministratorAccess_4b70f7a69b186776/zur@xmcyber.com", + "ssm_parameter_name": "/CodeBuild/accessKeys", + "ssm_parameter_tier": "Standard", + "ssm_parameter_type": "SecureString", + "ssm_parameter_version": 1, + "status": "active", + "type": "awsSsmParameter", + "type_display_name": "AWS SSM Parameter", + "use_type": "Storage", + "xm_provider_account": "xm-test3" + } + } +} diff --git a/packages/xm_cyber/docs/README.md b/packages/xm_cyber/docs/README.md index 374ed61e21a..6a59520e408 100644 --- a/packages/xm_cyber/docs/README.md +++ b/packages/xm_cyber/docs/README.md @@ -8,7 +8,7 @@ This integration collects data from the XM Cyber REST API using scheduled pollin ### Compatibility -The XM Cyber integration is compatible with the API version **1.0.0**. +The XM Cyber integration is compatible with the API version **v2**. ### How it works @@ -26,12 +26,14 @@ The XM Cyber integration collects the following types of data: |---|---|---| | `audit_trail` | Audit Records | `/api/audit-trail/auditRecords` | | `vulnerability` | CVE records from XM Cyber's Vulnerability Risk Management (VRM) feed, including CVSS v2/v3/v4 scores, EPSS metrics, CISA KEV / in-the-wild exploitation flags, and per-CVE counts of devices, products, and critical assets at risk | `/api/v2/vrm/public/vulnerabilities` | +| `entity_inventory` | Inventory of entities (devices, identities, and cloud resources) tracked by XM Cyber, enriched with OS, network, agent, and cloud-account metadata. | `/api/entityInventory/entities` | ### Supported use cases - **Audit and compliance monitoring**: Track administrative and user activity within your XM Cyber tenant — including console logins, sensor scan results, and configuration changes — and correlate it with the rest of your security telemetry to support compliance reviews and incident investigations. - **Risk-based vulnerability prioritization**: Rank CVEs by CVSS impact, EPSS exploit probability, and CISA KEV / in-the-wild exploitation flags to focus remediation effort where it actually reduces business risk. - **Attack-path-aware exposure analysis**: Correlate detected CVEs with XM Cyber's attack-technique simulations to identify which vulnerabilities act as choke points or stepping stones to crown-jewel assets. +- **Asset and exposure visibility**: Maintain a unified inventory of the devices, identities, and cloud resources XM Cyber discovers across hybrid environments — with OS, network, agent, and cloud-account context — to support asset management, attack-surface monitoring, and prioritization of critical assets. ## What do I need to use this integration? @@ -371,6 +373,490 @@ An example event for `vulnerability` looks as following: } ``` +### Entity Inventory + +#### Entity Inventory fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| host.entity.lifecycle.last_activity | Timestamp of the most recent action performed by or attributed to this entity (active use) | date | +| input.type | Type of filebeat input. | keyword | +| observer.product | The product name of the observer. | constant_keyword | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| user.entity.attributes.mfa_enabled | Indicates whether multi-factor authentication is enabled for this entity. | boolean | +| user.entity.lifecycle.last_activity | Timestamp of the most recent action performed by or attributed to this entity (active use). | date | +| xm_cyber.entity_inventory.access_key_creation_date | Access key creation date (e.g. 2024-10-01T10:06:58.000Z). | date | +| xm_cyber.entity_inventory.account_id | AWS account identifier associated with the entity. | keyword | +| xm_cyber.entity_inventory.account_name | AWS account name associated with the entity. | keyword | +| xm_cyber.entity_inventory.activity_period | Activity period (e.g. Inactive: Never Used). | keyword | +| xm_cyber.entity_inventory.agent_type | Type of XM Cyber agent reporting the entity (when applicable). | keyword | +| xm_cyber.entity_inventory.agent_version.major | Agent version major component. | long | +| xm_cyber.entity_inventory.agent_version.minor | Agent version minor component. | long | +| xm_cyber.entity_inventory.agent_version.patch | Agent version patch component. | long | +| xm_cyber.entity_inventory.agent_version_str | XM Cyber agent version reported as a single string (e.g. 1.8.210). | keyword | +| xm_cyber.entity_inventory.arch | Hardware architecture reported for the entity. | keyword | +| xm_cyber.entity_inventory.architecture | Architecture (e.g. amd64). | keyword | +| xm_cyber.entity_inventory.arn | AWS resource ARN associated with the entity. | keyword | +| xm_cyber.entity_inventory.availability_zone | Availability zone (e.g. us-east-1b). | keyword | +| xm_cyber.entity_inventory.aws_tags | AWS tags attached to the entity (array of key/value pairs). | flattened | +| xm_cyber.entity_inventory.aws_user_name | Aws user name (e.g. xmcyber-eldar-arn-iam-user-sts-QRc9n12OTGiq). | keyword | +| xm_cyber.entity_inventory.behavior_version | Behavior version (e.g. 7). | keyword | +| xm_cyber.entity_inventory.boot_id | Boot id (e.g. 004c6ece-9317-40e7-9a15-d24df7709df0). | keyword | +| xm_cyber.entity_inventory.canonical_name | Canonical name (e.g. vpn.Corporate.xm/). | keyword | +| xm_cyber.entity_inventory.category | Vendor category classification for the entity. | keyword | +| xm_cyber.entity_inventory.cloud_provider | Cloud provider (e.g. UNSUPPORTED_CLOUD_PROVIDER). | keyword | +| xm_cyber.entity_inventory.cluster_name | Cluster name (e.g. udoawsk8s). | keyword | +| xm_cyber.entity_inventory.cluster_role_rules.api_groups | Api groups (e.g. ["authorization.k8s.io"]). | keyword | +| xm_cyber.entity_inventory.cluster_role_rules.non_resource_urls | Non resource urls (e.g. ["/version/", "/apis/\*", "/openapi", "/api", "/version", "/livez", "/apis", "/re). | keyword | +| xm_cyber.entity_inventory.cluster_role_rules.resource_names | Resource names (e.g. ["kubernetes.io/kube-apiserver-client"]). | keyword | +| xm_cyber.entity_inventory.cluster_role_rules.resources | Resources (e.g. ["localsubjectaccessreviews"]). | keyword | +| xm_cyber.entity_inventory.cluster_role_rules.verbs | Verbs (e.g. ["create"]). | keyword | +| xm_cyber.entity_inventory.cluster_role_rules_to_display | Cluster role rules to display (e.g. [ \{ "apiGroups": [ "authorization.k8s.io" ], "resources": [ ). | keyword | +| xm_cyber.entity_inventory.cluster_unique_id | Cluster unique id (e.g. 0617e36e156eacec443c98be905fb028ff739448fb763421528f2034ea3058a8). | keyword | +| xm_cyber.entity_inventory.cm_id | Configuration management identifier for the entity. | keyword | +| xm_cyber.entity_inventory.comments | Comments (e.g. []). | flattened | +| xm_cyber.entity_inventory.connection_counter | Number of times the entity has connected to XM Cyber. | long | +| xm_cyber.entity_inventory.container_runtime_version | Container runtime version (e.g. containerd://2.1.5-k3s1.33). | keyword | +| xm_cyber.entity_inventory.create_time | Create time (e.g. 2026-03-02T18:36:07.000Z). | date | +| xm_cyber.entity_inventory.created | Created (e.g. 2025-09-24T10:10:32.413Z). | date | +| xm_cyber.entity_inventory.created_by | Created by (e.g. arn:aws:sts::908522078858:assumed-role/AWSReservedSSO_AdministratorAccess_a84c80). | keyword | +| xm_cyber.entity_inventory.created_date | Created date (e.g. 2022-08-03T07:44:06.000Z). | date | +| xm_cyber.entity_inventory.creation_timestamp | Creation timestamp (e.g. 2025-12-04T14:10:01.000Z). | date | +| xm_cyber.entity_inventory.cred_type | Cred type (e.g. NTLM_HASH). | keyword | +| xm_cyber.entity_inventory.custom_properties.custom_labels | User-defined labels attached to the entity. | flattened | +| xm_cyber.entity_inventory.custom_properties.domain_workgroup.data | Domain or workgroup name. | keyword | +| xm_cyber.entity_inventory.custom_properties.domain_workgroup.type | Discriminator (e.g., domain, workgroup). | keyword | +| xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_core_count | Number of CPU cores reported for the host. | long | +| xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_count | Number of CPUs reported for the host. | long | +| xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_manufacturer | CPU manufacturer string. | keyword | +| xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_processor_type | CPU processor type string. | keyword | +| xm_cyber.entity_inventory.custom_properties.hardware_info.cpu_speed_mhz | CPU speed in MHz. | long | +| xm_cyber.entity_inventory.custom_properties.hardware_info.system_manufacturer | System manufacturer string. | keyword | +| xm_cyber.entity_inventory.custom_properties.hardware_info.system_model | System model string. | keyword | +| xm_cyber.entity_inventory.custom_properties.hardware_info.total_ram_mb | Total RAM in MB as reported by the vendor (string). | keyword | +| xm_cyber.entity_inventory.custom_properties.labels | Vendor-managed labels attached to the entity. | flattened | +| xm_cyber.entity_inventory.custom_properties.mac_addresses | MAC addresses reported for the entity. | keyword | +| xm_cyber.entity_inventory.custom_properties.ou_computer | Organisational unit path for the computer object. | keyword | +| xm_cyber.entity_inventory.custom_properties.ou_user | Organisational unit path for the user object. | keyword | +| xm_cyber.entity_inventory.custom_properties.sniffer_status | Current sniffer status string. | keyword | +| xm_cyber.entity_inventory.custom_properties.sniffer_status_changeable | Whether the sniffer status is user-changeable. | boolean | +| xm_cyber.entity_inventory.custom_properties.sniffer_status_configuration | Sniffer status configuration string. | keyword | +| xm_cyber.entity_inventory.custom_properties.subnet_info | Subnet information string when reported. | keyword | +| xm_cyber.entity_inventory.customer_id | XM Cyber customer identifier. | keyword | +| xm_cyber.entity_inventory.default_version | Default version (e.g. True). | boolean | +| xm_cyber.entity_inventory.deployment_type | Deployment type (e.g. ReplicaSet). | keyword | +| xm_cyber.entity_inventory.disabled | Whether the entity is disabled. | boolean | +| xm_cyber.entity_inventory.disabled_changed_at | Time at which the disabled state last changed. | date | +| xm_cyber.entity_inventory.disabled_reason | Reason the entity was disabled. | keyword | +| xm_cyber.entity_inventory.display_name | Human-readable display name for the entity. | keyword | +| xm_cyber.entity_inventory.distinguished_name | Distinguished name (e.g. DC=vpn,DC=Corporate,DC=xm). | keyword | +| xm_cyber.entity_inventory.dns_host_name | Dns host name (e.g. vpndc.vpn.Corporate.xm). | keyword | +| xm_cyber.entity_inventory.dns_policy | Dns policy (e.g. ClusterFirst). | keyword | +| xm_cyber.entity_inventory.domain_name | Domain name associated with the entity when reported. | keyword | +| xm_cyber.entity_inventory.domain_owner | Domain owner (e.g. 908522078858). | keyword | +| xm_cyber.entity_inventory.domain_sid | Domain sid (e.g. S-1-5-21-3955220616-103436932-1560667138). | keyword | +| xm_cyber.entity_inventory.dynamo_db_table_creation_date_time | Dynamo db table creation date time (e.g. 2021-10-26T07:59:54.362Z). | date | +| xm_cyber.entity_inventory.dynamo_db_table_item_count | Dynamo db table item count (e.g. 0). | long | +| xm_cyber.entity_inventory.dynamo_db_table_size_bytes | Dynamo db table size bytes (e.g. 0). | long | +| xm_cyber.entity_inventory.ebs_volume_attachments.attach_time | Attach time (e.g. 2026-03-18T14:45:23.000Z). | date | +| xm_cyber.entity_inventory.ebs_volume_attachments.delete_on_termination | Delete on termination (e.g. True). | boolean | +| xm_cyber.entity_inventory.ebs_volume_attachments.device | Device (e.g. /dev/sdb). | keyword | +| xm_cyber.entity_inventory.ebs_volume_attachments.ebs_card_index | Ebs card index (e.g. 0). | long | +| xm_cyber.entity_inventory.ebs_volume_attachments.instance_id | Instance id (e.g. i-0e03149a06907c827). | keyword | +| xm_cyber.entity_inventory.ebs_volume_attachments.state | State (e.g. attached). | keyword | +| xm_cyber.entity_inventory.ebs_volume_attachments.volume_id | Volume id (e.g. vol-00073da63bfe48dad). | keyword | +| xm_cyber.entity_inventory.ebs_volume_create_time | Ebs volume create time (e.g. 2026-03-18T14:45:23.445Z). | date | +| xm_cyber.entity_inventory.ebs_volume_id | Ebs volume id (e.g. vol-00073da63bfe48dad). | keyword | +| xm_cyber.entity_inventory.ebs_volume_iops | Ebs volume iops (e.g. 100). | long | +| xm_cyber.entity_inventory.ebs_volume_kms_key_id | Ebs volume kms key id (e.g. arn:aws:kms:us-east-1:908522078858:key/7a079e1f-3b2b-427c-9a03-a6471d754d36). | keyword | +| xm_cyber.entity_inventory.ebs_volume_multi_attach_enabled | Ebs volume multi attach enabled (e.g. False). | boolean | +| xm_cyber.entity_inventory.ebs_volume_size | Ebs volume size (e.g. 32). | long | +| xm_cyber.entity_inventory.ebs_volume_snapshot_id | Ebs volume snapshot id (e.g. snap-02b09548e23285e0b). | keyword | +| xm_cyber.entity_inventory.ebs_volume_volume_type | Ebs volume volume type (e.g. gp2). | keyword | +| xm_cyber.entity_inventory.ec2auto_scale_group | Ec2auto scale group (e.g. No AutoScale). | keyword | +| xm_cyber.entity_inventory.ec2instance_id | Ec2instance id (e.g. i-00d0af67458cb4d24). | keyword | +| xm_cyber.entity_inventory.ec2internet_access_via_lb | Ec2internet access via lb (e.g. No). | keyword | +| xm_cyber.entity_inventory.ec2internet_access_via_vpc | Ec2internet access via vpc (e.g. Yes). | keyword | +| xm_cyber.entity_inventory.ec2key_name | Ec2key name (e.g. Itay-key). | keyword | +| xm_cyber.entity_inventory.ec2private_ip_address | Ec2private ip address (e.g. 192.168.2.102). | ip | +| xm_cyber.entity_inventory.ec2public_ip_address | Ec2public ip address (e.g. 3.69.20.107). | ip | +| xm_cyber.entity_inventory.ec2security_groups.group_id | Group id (e.g. sg-08415938e0f0debf7). | keyword | +| xm_cyber.entity_inventory.ec2security_groups.group_name | Group name (e.g. itay-subnet2-SecurityGroup). | keyword | +| xm_cyber.entity_inventory.ec2subnet_id | Ec2subnet id (e.g. subnet-01b0888a263591ac6). | keyword | +| xm_cyber.entity_inventory.ec2tags.key | Key (e.g. Name). | keyword | +| xm_cyber.entity_inventory.ec2tags.value | Value (e.g. win11). | keyword | +| xm_cyber.entity_inventory.ec2vpc_id | Ec2vpc id (e.g. vpc-0e9f502a4d1b70878). | keyword | +| xm_cyber.entity_inventory.ecr_repository_arn | Ecr repository arn (e.g. arn:aws:ecr:ca-central-1:302823744532:repository/xm-cyber). | keyword | +| xm_cyber.entity_inventory.ecr_repository_creation_date | Ecr repository creation date (e.g. 2024-05-16T14:21:23.373Z). | date | +| xm_cyber.entity_inventory.ecr_repository_image_scanning_on_push | Ecr repository image scanning on push (e.g. False). | boolean | +| xm_cyber.entity_inventory.ecr_repository_image_tag_mutability | Ecr repository image tag mutability (e.g. IMMUTABLE). | keyword | +| xm_cyber.entity_inventory.ecr_repository_images.artifact_media_type | Artifact media type (e.g. application/vnd.docker.container.image.v1+json). | keyword | +| xm_cyber.entity_inventory.ecr_repository_images.image_digest | Image digest (e.g. sha256:4576dc9c5c25b82b3c9af9e015772bef0d1885c65af40ee57635efa27762fbc7). | keyword | +| xm_cyber.entity_inventory.ecr_repository_images.image_manifest_media_type | Image manifest media type (e.g. application/vnd.docker.distribution.manifest.v2+json). | keyword | +| xm_cyber.entity_inventory.ecr_repository_images.image_pushed_at | Image pushed at (e.g. 2024-07-01T10:43:58.000Z). | date | +| xm_cyber.entity_inventory.ecr_repository_images.image_size_in_bytes | Image size in bytes (e.g. 87302242). | long | +| xm_cyber.entity_inventory.ecr_repository_images.image_status | Image status (e.g. ACTIVE). | keyword | +| xm_cyber.entity_inventory.ecr_repository_images.image_tags | Image tags (e.g. ["pr-148"]). | keyword | +| xm_cyber.entity_inventory.ecr_repository_images.last_recorded_pull_time | Last recorded pull time (e.g. 2026-05-06T23:37:16.835Z). | date | +| xm_cyber.entity_inventory.ecr_repository_images.registry_id | Registry id (e.g. 908522078858). | keyword | +| xm_cyber.entity_inventory.ecr_repository_images.repository_name | Repository name (e.g. xm-mgmt-pr-api-keys-manager). | keyword | +| xm_cyber.entity_inventory.ecr_repository_name | Ecr repository name (e.g. xm-cyber). | keyword | +| xm_cyber.entity_inventory.ecr_repository_registry_id | Ecr repository registry id (e.g. 302823744532). | keyword | +| xm_cyber.entity_inventory.ecr_repository_uri | Ecr repository uri (e.g. 302823744532.dkr.ecr.ca-central-1.amazonaws.com/xm-cyber). | keyword | +| xm_cyber.entity_inventory.elasticache_cache_cache_security_groups | Elasticache cache cache security groups (e.g. 0). | long | +| xm_cyber.entity_inventory.elasticache_cache_cluster_auth_token | Elasticache cache cluster auth token (e.g. False). | boolean | +| xm_cyber.entity_inventory.elasticache_cache_cluster_create_time | Elasticache cache cluster create time (e.g. 2026-02-18T08:35:45.012Z). | date | +| xm_cyber.entity_inventory.elasticache_cache_cluster_id | Elasticache cache cluster id (e.g. redis-maor-0002-002). | keyword | +| xm_cyber.entity_inventory.elasticache_cache_cluster_num_cache_nodes | Elasticache cache cluster num cache nodes (e.g. 1). | long | +| xm_cyber.entity_inventory.elasticache_cache_cluster_preferred_availability_zone | Elasticache cache cluster preferred availability zone (e.g. eu-west-1b). | keyword | +| xm_cyber.entity_inventory.elasticache_cache_cluster_transit_encryption | Elasticache cache cluster transit encryption (e.g. True). | boolean | +| xm_cyber.entity_inventory.elasticache_cache_cluster_vpc_id | Elasticache cache cluster vpc id (e.g. vpc-6e8b8708). | keyword | +| xm_cyber.entity_inventory.elasticache_cache_node_type | Elasticache cache node type (e.g. cache.r7g.xlarge). | keyword | +| xm_cyber.entity_inventory.elasticache_cache_parameter_group_name | Elasticache cache parameter group name (e.g. default.redis7.cluster.on). | keyword | +| xm_cyber.entity_inventory.elasticache_cache_security_groups | Elasticache cache security groups (e.g. 1). | long | +| xm_cyber.entity_inventory.elasticache_cache_subnet_group_name | Elasticache cache subnet group name (e.g. maor). | keyword | +| xm_cyber.entity_inventory.elb_v2load_balancer_name | Elb v2load balancer name (e.g. xmcyber-97kjg-ext). | keyword | +| xm_cyber.entity_inventory.elb_v2target_group_name | Elb v2target group name (e.g. xmcyber-97kjg-aext). | keyword | +| xm_cyber.entity_inventory.encryption | Encryption (e.g. True). | boolean | +| xm_cyber.entity_inventory.encryption_key | Encryption key (e.g. arn:aws:kms:us-east-1:908522078858:alias/aws/s3). | keyword | +| xm_cyber.entity_inventory.encryption_type | Encryption type (e.g. AES256). | keyword | +| xm_cyber.entity_inventory.endpoint_address | Endpoint address (e.g. redshift-cluster.c8ri4vjslsze.us-west-1.redshift.amazonaws.com). | keyword | +| xm_cyber.entity_inventory.endpoint_port | Endpoint port (e.g. 5439). | long | +| xm_cyber.entity_inventory.engine | Engine (e.g. redis). | keyword | +| xm_cyber.entity_inventory.engine_version | Engine version (e.g. 7.1.0). | keyword | +| xm_cyber.entity_inventory.entity_details.id | Inner entity details identifier. | keyword | +| xm_cyber.entity_inventory.entity_details.is_asset | Whether the inner entity is marked as a critical asset. | boolean | +| xm_cyber.entity_inventory.entity_details.name | Inner entity details name. | keyword | +| xm_cyber.entity_inventory.entity_details.sub_type | Inner entity details subtype value. | keyword | +| xm_cyber.entity_inventory.entity_details.sub_type_display_name | Inner entity details subtype display label. | keyword | +| xm_cyber.entity_inventory.entity_type | Entity type discriminator (e.g., agent, azureUser, awsSsmParameter). | keyword | +| xm_cyber.entity_inventory.environment_image | Environment image (e.g. aws/codebuild/amazonlinux-x86_64-standard:5.0). | keyword | +| xm_cyber.entity_inventory.environment_type | Environment type (e.g. LINUX_CONTAINER). | keyword | +| xm_cyber.entity_inventory.expire_at | Expire at (e.g. 2026-07-05T10:41:14.000Z). | date | +| xm_cyber.entity_inventory.first_seen | First observation time reported for the entity. | date | +| xm_cyber.entity_inventory.fqdn | Fqdn (e.g. vpndc.vpn.Corporate.xm). | keyword | +| xm_cyber.entity_inventory.gp_link | Gp link (e.g. [LDAP://CN=\{31B2F340-016D-11D2-945F-00C04FB984F9\},CN=Policies,CN=System,DC=vpn,D). | keyword | +| xm_cyber.entity_inventory.guid | Guid (e.g. \{C624BD51-11AA-4646-BD13-C752853BD2DA\}). | keyword | +| xm_cyber.entity_inventory.has_matching_sid | Whether the entity has a matching SID in another directory source. | boolean | +| xm_cyber.entity_inventory.has_update_available | Whether an update is available for the entity (e.g., agent upgrade). | boolean | +| xm_cyber.entity_inventory.host_ip | Host ip (e.g. 192.168.5.97). | ip | +| xm_cyber.entity_inventory.iam_unique_id | Iam unique id (e.g. AROA5HCBCYKFFYRQOIDLG). | keyword | +| xm_cyber.entity_inventory.id | Vendor-provided unique identifier for the entity record. | keyword | +| xm_cyber.entity_inventory.image_pull_secrets_name | Image pull secrets name (e.g. ["xm-dockerhub-secret"]). | keyword | +| xm_cyber.entity_inventory.image_pull_secrets_name_to_display | Image pull secrets name to display (e.g. [ null ]). | keyword | +| xm_cyber.entity_inventory.images | Images (e.g. [ "xmcyber/sensor:1.50.1" ]). | keyword | +| xm_cyber.entity_inventory.images_to_display | Images to display (e.g. [ "docker.io/rancher/mirrored-metrics-server@sha256:89258156d0e9af60403eafd44d). | keyword | +| xm_cyber.entity_inventory.imported_labels | Imported labels associated with the entity. | keyword | +| xm_cyber.entity_inventory.installation_id | Installation identifier reported for the entity. | keyword | +| xm_cyber.entity_inventory.instance_id | Instance id (e.g. i-00d0af67458cb4d24). | keyword | +| xm_cyber.entity_inventory.ipv4 | IPv4 addresses reported for the entity as strings. | keyword | +| xm_cyber.entity_inventory.ipv4_buffer.data | IPv4 address data as an array of integers. | long | +| xm_cyber.entity_inventory.ipv4_buffer.type | Buffer indicator value, typically "Buffer". | keyword | +| xm_cyber.entity_inventory.ipv4num | IPv4 addresses reported for the entity as 32-bit integers. | long | +| xm_cyber.entity_inventory.ipv4str | IPv4 addresses reported for the entity as strings. | ip | +| xm_cyber.entity_inventory.ipv6 | IPv6 addresses reported for the entity. | keyword | +| xm_cyber.entity_inventory.ipv6_buffer.data | IPv6 address data as an array of integers. | long | +| xm_cyber.entity_inventory.ipv6_buffer.type | Buffer indicator value, typically "Buffer". | keyword | +| xm_cyber.entity_inventory.ipv6str | IPv6 addresses reported for the entity as strings. | ip | +| xm_cyber.entity_inventory.is_highly_privileged | Is highly privileged (e.g. False). | boolean | +| xm_cyber.entity_inventory.is_mfaenabled | Is mfaenabled (e.g. False). | boolean | +| xm_cyber.entity_inventory.is_owner | Is owner (e.g. No). | keyword | +| xm_cyber.entity_inventory.is_public | Is public (e.g. True). | boolean | +| xm_cyber.entity_inventory.is_running | Is running (e.g. False). | boolean | +| xm_cyber.entity_inventory.is_valid | Is valid (e.g. True). | boolean | +| xm_cyber.entity_inventory.is_watched | Is watched (e.g. False). | boolean | +| xm_cyber.entity_inventory.kernel_version | Kernel version (e.g. 6.17.5-200.fc42.x86_64). | keyword | +| xm_cyber.entity_inventory.kms_key_aliases | KMS key alias names associated with the entity. | keyword | +| xm_cyber.entity_inventory.kms_key_creation_date | Time at which the KMS key was created. | date | +| xm_cyber.entity_inventory.kms_key_description | KMS key description string. | keyword | +| xm_cyber.entity_inventory.kms_key_manager | KMS key manager (e.g., AWS, CUSTOMER). | keyword | +| xm_cyber.entity_inventory.kms_key_origin | KMS key origin (e.g., AWS_KMS, EXTERNAL). | keyword | +| xm_cyber.entity_inventory.kms_key_state | Current KMS key state. | keyword | +| xm_cyber.entity_inventory.kms_key_usage | KMS key usage (e.g., ENCRYPT_DECRYPT, SIGN_VERIFY). | keyword | +| xm_cyber.entity_inventory.kube_proxy_version | Kube proxy version (e.g. ). | keyword | +| xm_cyber.entity_inventory.kubelet_version | Kubelet version (e.g. v1.33.6+k3s1). | keyword | +| xm_cyber.entity_inventory.kubernetes_annotations | Kubernetes annotations (e.g. \{\}). | keyword | +| xm_cyber.entity_inventory.kubernetes_labels | Kubernetes labels (e.g. ["name: xm-sensor", "app.kubernetes.io/instance: xmcyber-sensor", "pod-template-). | keyword | +| xm_cyber.entity_inventory.labels | Vendor labels attached to the entity (array of id/type pairs). | flattened | +| xm_cyber.entity_inventory.lambda_description | Lambda description (e.g. dddd). | keyword | +| xm_cyber.entity_inventory.lambda_runtime | Lambda runtime (e.g. nodejs20.x). | keyword | +| xm_cyber.entity_inventory.lambda_version | Lambda version (e.g. $LATEST). | keyword | +| xm_cyber.entity_inventory.last_activity_date | Last activity date (e.g. 2025-04-03T22:20:42.000Z). | date | +| xm_cyber.entity_inventory.last_connection_time | Last time the entity (typically a managed device) connected to XM Cyber. | date | +| xm_cyber.entity_inventory.last_disconnection_reason | Reason the entity last disconnected. | keyword | +| xm_cyber.entity_inventory.last_modified | Last modified (e.g. 2025-09-24T10:10:32.413Z). | date | +| xm_cyber.entity_inventory.last_reboot_time | Last reboot time reported for the entity. | date | +| xm_cyber.entity_inventory.last_running_time | Last running time (e.g. 2026-05-06T09:05:15.079Z). | date | +| xm_cyber.entity_inventory.last_status_change | Time of the most recent status change for the entity. | date | +| xm_cyber.entity_inventory.last_updated_at | Time at which the entity record was last updated by XM Cyber. | date | +| xm_cyber.entity_inventory.latest_possible_agent_version.build | Build (e.g. 0). | long | +| xm_cyber.entity_inventory.latest_possible_agent_version.major | Latest possible agent version major component. | long | +| xm_cyber.entity_inventory.latest_possible_agent_version.minor | Latest possible agent version minor component. | long | +| xm_cyber.entity_inventory.latest_possible_agent_version.patch | Latest possible agent version patch component. | long | +| xm_cyber.entity_inventory.latest_possible_agent_version_str | Latest agent version available for the entity as a string. | keyword | +| xm_cyber.entity_inventory.launch_template_id | Launch template id (e.g. lt-056da5bfafc08dfb7). | keyword | +| xm_cyber.entity_inventory.launch_template_name | Launch template name (e.g. shani). | keyword | +| xm_cyber.entity_inventory.machine_account_quota | Machine account quota (e.g. 10). | long | +| xm_cyber.entity_inventory.machine_id | Vendor machine identifier when reported. | keyword | +| xm_cyber.entity_inventory.metadata | Metadata associated with the entity. | flattened | +| xm_cyber.entity_inventory.name | Vendor name of the entity (hostname for devices, principal name for identities, etc.). | keyword | +| xm_cyber.entity_inventory.name_uppercase | Entity name normalised to uppercase for case-insensitive matching. | keyword | +| xm_cyber.entity_inventory.namespace | Namespace (e.g. haxm). | keyword | +| xm_cyber.entity_inventory.node_images.names | Names (e.g. ["docker.io/rancher/mirrored-metrics-server@sha256:89258156d0e9af60403eafd44da96). | keyword | +| xm_cyber.entity_inventory.node_images.size_in_bytes | Size in bytes (e.g. 22493802). | long | +| xm_cyber.entity_inventory.node_name | Node name (e.g. udoawslinux03.eu-north-1.compute.internal). | keyword | +| xm_cyber.entity_inventory.nodes_in_node_group_count | Nodes in node group count (e.g. 0). | long | +| xm_cyber.entity_inventory.not_included_in_attacks | Whether the entity is excluded from attack-path simulations. | boolean | +| xm_cyber.entity_inventory.not_reported_by_south_at | Not reported by south at (e.g. null). | keyword | +| xm_cyber.entity_inventory.object_class | Object class (e.g. domainDNS). | keyword | +| xm_cyber.entity_inventory.organization_id | XM Cyber organization identifier. | keyword | +| xm_cyber.entity_inventory.os.distribution_name | OS distribution name (e.g., centos, ubuntu). | keyword | +| xm_cyber.entity_inventory.os.distribution_version | OS distribution version string. | keyword | +| xm_cyber.entity_inventory.os.name | Full OS name string as reported by XM Cyber. | keyword | +| xm_cyber.entity_inventory.os.service_pack.build | OS service pack build component. | long | +| xm_cyber.entity_inventory.os.service_pack.major | OS service pack major component. | long | +| xm_cyber.entity_inventory.os.service_pack.minor | OS service pack minor component. | long | +| xm_cyber.entity_inventory.os.service_pack.patch | OS service pack patch component. | long | +| xm_cyber.entity_inventory.os.version.build | OS version build component. | long | +| xm_cyber.entity_inventory.os.version.major | OS version major component. | long | +| xm_cyber.entity_inventory.os.version.minor | OS version minor component. | long | +| xm_cyber.entity_inventory.os.version.patch | OS version patch component. | long | +| xm_cyber.entity_inventory.os_image | Os image (e.g. Fedora Linux 42 (Adams)). | keyword | +| xm_cyber.entity_inventory.os_type | Top-level OS type discriminator string. | keyword | +| xm_cyber.entity_inventory.os_version_str | Os version str (e.g. 10.0.19045). | keyword | +| xm_cyber.entity_inventory.owner_references.block_owner_deletion | Block owner deletion (e.g. True). | boolean | +| xm_cyber.entity_inventory.owner_references.controller | Controller (e.g. True). | boolean | +| xm_cyber.entity_inventory.owner_references.kind | Kind (e.g. ReplicaSet). | keyword | +| xm_cyber.entity_inventory.owner_references.name | Name (e.g. xmcyber-sensor-85f5586455). | keyword | +| xm_cyber.entity_inventory.owner_references.uid | Uid (e.g. 8c5aa788-5284-4807-a918-f1d3d9445c7f). | keyword | +| xm_cyber.entity_inventory.owner_references_to_display | Owner references to display (e.g. [ \{ "blockOwnerDeletion": true, "controller": true, "kind": "Repli). | keyword | +| xm_cyber.entity_inventory.password_hash | Password hash (e.g. 147317149651d67246e5e5f0de7f72b6c26ee1855f5eb10d33ace6df8adb6ed39742f1523b7e9613). | keyword | +| xm_cyber.entity_inventory.pod_ip | Pod ip (e.g. 10.42.0.10). | ip | +| xm_cyber.entity_inventory.product_type | Vendor product type string. | keyword | +| xm_cyber.entity_inventory.public | Public (e.g. False). | boolean | +| xm_cyber.entity_inventory.redshift_cluster_availability_status | Redshift cluster availability status (e.g. Available). | keyword | +| xm_cyber.entity_inventory.redshift_cluster_cluster_version | Redshift cluster cluster version (e.g. 1.0). | keyword | +| xm_cyber.entity_inventory.redshift_cluster_create_time | Redshift cluster create time (e.g. 2025-11-10T09:42:02.804Z). | date | +| xm_cyber.entity_inventory.redshift_cluster_db_name | Redshift cluster db name (e.g. dev). | keyword | +| xm_cyber.entity_inventory.redshift_cluster_identifier | Redshift cluster identifier (e.g. redshift-cluster). | keyword | +| xm_cyber.entity_inventory.redshift_cluster_number_of_nodes | Redshift cluster number of nodes (e.g. 1). | long | +| xm_cyber.entity_inventory.redshift_cluster_private_ipaddress | Redshift cluster private ipaddress (e.g. 10.0.1.198). | ip | +| xm_cyber.entity_inventory.redshift_cluster_public_ipaddress | Redshift cluster public ipaddress (e.g. 52.8.99.248). | ip | +| xm_cyber.entity_inventory.redshift_cluster_subnet_group_name | Redshift cluster subnet group name (e.g. discoverandresetpasswordnotpublicredshiftwithreachableec2-redshiftvpcsubnetgroup). | keyword | +| xm_cyber.entity_inventory.redshift_cluster_vpc_id | Redshift cluster vpc id (e.g. vpc-05de6e857850c05f3). | keyword | +| xm_cyber.entity_inventory.region | Cloud region associated with the entity. | keyword | +| xm_cyber.entity_inventory.remote_address | Remote address reported for the entity. | keyword | +| xm_cyber.entity_inventory.repository_name | Repository name (e.g. test). | keyword | +| xm_cyber.entity_inventory.resource_version | Resource version (e.g. 1070). | keyword | +| xm_cyber.entity_inventory.restart_policy | Restart policy (e.g. Always). | keyword | +| xm_cyber.entity_inventory.role_description | Role description (e.g. Allows EC2 instances to call AWS services on your behalf.). | keyword | +| xm_cyber.entity_inventory.role_max_session_duration | Role max session duration (e.g. 3600). | long | +| xm_cyber.entity_inventory.rule_display_name | Display name of the matching rule when reported. | keyword | +| xm_cyber.entity_inventory.rules.api_groups | Api groups (e.g. [""]). | keyword | +| xm_cyber.entity_inventory.rules.resource_names | Resource names (e.g. ["kube-controller-manager"]). | keyword | +| xm_cyber.entity_inventory.rules.resources | Resources (e.g. ["configmaps"]). | keyword | +| xm_cyber.entity_inventory.rules.verbs | Verbs (e.g. ["watch"]). | keyword | +| xm_cyber.entity_inventory.rules_to_display | Rules to display (e.g. [ \{ "apiGroups": [ "" ], "resources": [ "configmaps" ). | keyword | +| xm_cyber.entity_inventory.secret_description | Description of the AWS Secrets Manager secret. | keyword | +| xm_cyber.entity_inventory.secret_kms_key_id | KMS key identifier protecting the secret. | keyword | +| xm_cyber.entity_inventory.secret_names | Secret names (e.g. []). | keyword | +| xm_cyber.entity_inventory.secret_rotation_lambda_arn | Secret rotation lambda arn (e.g. arn:aws:lambda:eu-west-1:908522078858:function:orisRotation). | keyword | +| xm_cyber.entity_inventory.secret_type | Secret type (e.g. helm.sh/release.v1). | keyword | +| xm_cyber.entity_inventory.security_context | Security context (e.g. \{ "fsGroup": 1031, "runAsNonRoot": true, "runAsUser": 1031, "seccompProf). | keyword | +| xm_cyber.entity_inventory.security_flags | Security flags reported for the entity. | flattened | +| xm_cyber.entity_inventory.security_flags_for_display.expires | Expiration value of the security flag, if any. | keyword | +| xm_cyber.entity_inventory.security_flags_for_display.key | Security flag key. | keyword | +| xm_cyber.entity_inventory.security_flags_for_display.reason | Security flag reason. | keyword | +| xm_cyber.entity_inventory.security_group_name | Security group name (e.g. vulnerable-sg-0cb516b). | keyword | +| xm_cyber.entity_inventory.service_account | Service account (e.g. xm-service-account). | keyword | +| xm_cyber.entity_inventory.service_account_name | Service account name (e.g. xm-service-account). | keyword | +| xm_cyber.entity_inventory.service_role | Service role (e.g. arn:aws:iam::908522078858:role/service-role/codebuild-yadgartest-service-role). | keyword | +| xm_cyber.entity_inventory.service_spec.allocate_load_balancer_node_ports | Allocate load balancer node ports (e.g. True). | boolean | +| xm_cyber.entity_inventory.service_spec.cluster_ip | Cluster ip (e.g. 10.43.227.17). | ip | +| xm_cyber.entity_inventory.service_spec.cluster_ips | Cluster ips (e.g. ["10.43.227.17"]). | ip | +| xm_cyber.entity_inventory.service_spec.external_ips | External ips (e.g. []). | keyword | +| xm_cyber.entity_inventory.service_spec.external_name | External name (e.g. ). | keyword | +| xm_cyber.entity_inventory.service_spec.external_traffic_policy | External traffic policy (e.g. Cluster). | keyword | +| xm_cyber.entity_inventory.service_spec.health_check_node_port | Health check node port (e.g. 0). | long | +| xm_cyber.entity_inventory.service_spec.internal_traffic_policy | Internal traffic policy (e.g. Cluster). | keyword | +| xm_cyber.entity_inventory.service_spec.ip_families | Ip families (e.g. ["IPv4"]). | keyword | +| xm_cyber.entity_inventory.service_spec.ip_family_policy | Ip family policy (e.g. PreferDualStack). | keyword | +| xm_cyber.entity_inventory.service_spec.load_balancer_class | Load balancer class (e.g. ). | keyword | +| xm_cyber.entity_inventory.service_spec.load_balancer_ip | Load balancer ip (e.g. ). | keyword | +| xm_cyber.entity_inventory.service_spec.load_balancer_source_ranges | Load balancer source ranges (e.g. []). | keyword | +| xm_cyber.entity_inventory.service_spec.ports.app_protocol | App protocol (e.g. ). | keyword | +| xm_cyber.entity_inventory.service_spec.ports.name | Name (e.g. web). | keyword | +| xm_cyber.entity_inventory.service_spec.ports.node_port | Node port (e.g. 32570). | long | +| xm_cyber.entity_inventory.service_spec.ports.port | Port (e.g. 80). | long | +| xm_cyber.entity_inventory.service_spec.ports.protocol | Protocol (e.g. TCP). | keyword | +| xm_cyber.entity_inventory.service_spec.ports.target_port | Target port (e.g. web). | keyword | +| xm_cyber.entity_inventory.service_spec.publish_not_ready_addresses | Publish not ready addresses (e.g. False). | boolean | +| xm_cyber.entity_inventory.service_spec.selector | Selector (e.g. \{"app.kubernetes.io/instance": "traefik-kube-system", "app.kubernetes.io/name": ). | flattened | +| xm_cyber.entity_inventory.service_spec.session_affinity | Session affinity (e.g. None). | keyword | +| xm_cyber.entity_inventory.service_spec.session_affinity_config.client_ip.timeout_seconds | Timeout seconds (e.g. 0). | long | +| xm_cyber.entity_inventory.service_spec.type | Type (e.g. LoadBalancer). | keyword | +| xm_cyber.entity_inventory.sid | Sid (e.g. S-1-5-21-3955220616-103436932-1560667138). | keyword | +| xm_cyber.entity_inventory.south_owner | South component owner identifier when reported. | keyword | +| xm_cyber.entity_inventory.spec.controller | Controller (e.g. traefik.io/ingress-controller). | keyword | +| xm_cyber.entity_inventory.spec.parameters.group | Group (e.g. ). | keyword | +| xm_cyber.entity_inventory.spec.parameters.kind | Kind (e.g. ). | keyword | +| xm_cyber.entity_inventory.spec.parameters.name | Name (e.g. ). | keyword | +| xm_cyber.entity_inventory.spec.parameters.namespace | Namespace (e.g. ). | keyword | +| xm_cyber.entity_inventory.sqs_queue_arn | Sqs queue arn (e.g. arn:aws:sqs:us-east-1:908522078858:roi-yadgar-queue). | keyword | +| xm_cyber.entity_inventory.sqs_queue_created_timestamp | Sqs queue created timestamp (e.g. 1735769555). | keyword | +| xm_cyber.entity_inventory.sqs_queue_last_modified_date | Sqs queue last modified date (e.g. 1970-01-21T02:09:29.642Z). | date | +| xm_cyber.entity_inventory.sqs_queue_last_modified_timestamp | Sqs queue last modified timestamp (e.g. 1735769642). | keyword | +| xm_cyber.entity_inventory.sqs_queue_name | Sqs queue name (e.g. roi-yadgar-queue). | keyword | +| xm_cyber.entity_inventory.sqs_queue_url | Sqs queue url (e.g. https://sqs.us-east-1.amazonaws.com/908522078858/roi-yadgar-queue). | keyword | +| xm_cyber.entity_inventory.ssm_parameter_data_type | SSM parameter data type. | keyword | +| xm_cyber.entity_inventory.ssm_parameter_description | SSM parameter description. | keyword | +| xm_cyber.entity_inventory.ssm_parameter_key_id | KMS key id used to encrypt the SSM parameter. | keyword | +| xm_cyber.entity_inventory.ssm_parameter_last_modified_date | Last modification time of the SSM parameter. | date | +| xm_cyber.entity_inventory.ssm_parameter_last_modified_user | User who last modified the SSM parameter. | keyword | +| xm_cyber.entity_inventory.ssm_parameter_name | SSM parameter name. | keyword | +| xm_cyber.entity_inventory.ssm_parameter_tier | SSM parameter tier. | keyword | +| xm_cyber.entity_inventory.ssm_parameter_type | SSM parameter type (String, StringList, SecureString). | keyword | +| xm_cyber.entity_inventory.ssm_parameter_version | SSM parameter version number. | long | +| xm_cyber.entity_inventory.state | State (e.g. In-use). | keyword | +| xm_cyber.entity_inventory.status | Entity operational status string when reported. | keyword | +| xm_cyber.entity_inventory.system_uuid | System uuid (e.g. a3a7d001-bc73-48bd-0609-c63b9d59ff7d). | keyword | +| xm_cyber.entity_inventory.tags_str | Vendor-provided tags reported as plain strings. | keyword | +| xm_cyber.entity_inventory.time_to_revive_at | Time at which the entity is scheduled to be revived. | date | +| xm_cyber.entity_inventory.top_owner_name | Top owner name (e.g. xmcyber-sensor). | keyword | +| xm_cyber.entity_inventory.type | Vendor type discriminator returned alongside `entity_type`. | keyword | +| xm_cyber.entity_inventory.type_display_name | Human-readable label for `type`. | keyword | +| xm_cyber.entity_inventory.uid | Uid (e.g. 27c684bf-90ea-40c2-8e61-65e5f4156b2b). | keyword | +| xm_cyber.entity_inventory.use_type | Vendor `useType` discriminator. | keyword | +| xm_cyber.entity_inventory.user_access_keys_count | User access keys count (e.g. 0). | long | +| xm_cyber.entity_inventory.user_name | User name (e.g. wdagutilityaccount). | keyword | +| xm_cyber.entity_inventory.version_number | Version number (e.g. 1). | long | +| xm_cyber.entity_inventory.vpc_config.ipv6allowed_for_dual_stack | Ipv6allowed for dual stack (e.g. False). | boolean | +| xm_cyber.entity_inventory.vpc_config.security_group_ids | Security group ids (e.g. []). | keyword | +| xm_cyber.entity_inventory.vpc_config.subnet_ids | Subnet ids (e.g. []). | keyword | +| xm_cyber.entity_inventory.vpc_config.vpc_id | Vpc id (e.g. ). | keyword | +| xm_cyber.entity_inventory.when_created | When created (e.g. 2020-03-27T20:42:23.000Z). | date | +| xm_cyber.entity_inventory.xm_labels | XM Cyber managed labels attached to the entity. | flattened | +| xm_cyber.entity_inventory.xm_mongo_update_time | Xm mongo update time (e.g. 2026-05-06T10:43:14.469Z). | date | +| xm_cyber.entity_inventory.xm_provider_account | XM Cyber provider account identifier. | keyword | +| xm_cyber.entity_inventory.xm_update_time | Time at which XM Cyber last updated the entity record. | date | +| xm_cyber.entity_inventory.yaml_representation | Yaml representation (e.g. metadata: annotations: meta.helm.sh/release-name: "traefik" meta.helm.). | keyword | + + +### Example event + +#### Entity Inventory + +An example event for `entity_inventory` looks as following: + +```json +{ + "@timestamp": "2026-05-05T21:05:15.079Z", + "agent": { + "ephemeral_id": "6c1ebfc4-c22b-499c-b0d4-5e5f1e426c06", + "id": "1845b4e9-3751-4e02-b895-a3f1bcf9a334", + "name": "elastic-agent-15257", + "type": "filebeat", + "version": "8.18.0" + }, + "cloud": { + "account": { + "id": "702947630755", + "name": "xm-test3" + }, + "instance": { + "name": "/CodeBuild/accessKeys" + }, + "region": "us-east-1" + }, + "data_stream": { + "dataset": "xm_cyber.entity_inventory", + "namespace": "59138", + "type": "logs" + }, + "ecs": { + "version": "9.3.0" + }, + "elastic_agent": { + "id": "1845b4e9-3751-4e02-b895-a3f1bcf9a334", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "xm_cyber.entity_inventory", + "id": "awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "ingested": "2026-06-18T10:55:25Z", + "kind": "asset", + "original": "{\"accountId\":\"702947630755\",\"accountName\":\"xm-test3\",\"arn\":\"arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys\",\"category\":\"Cloud\",\"customProperties\":{\"domainWorkgroup\":{\"data\":\"AWS/702947630755\",\"type\":\"domain\"},\"ouComputer\":\"AWS/702947630755/us-east-1/SSM/ParameterMetadata\",\"ouUser\":\"AWS/702947630755/SSM/ParameterMetadata\",\"subnetInfo\":\"AWS_702947630755_us-east-1\"},\"disabled\":false,\"displayName\":\"/CodeBuild/accessKeys\",\"entityDetails\":{\"id\":\"awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys\",\"isAsset\":null,\"name\":\"/CodeBuild/accessKeys\",\"subType\":\"awsSsmParameter\",\"subTypeDisplayName\":\"AWS SSM Parameter\"},\"entityType\":\"AwsSsmParameterEntity\",\"id\":\"awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys\",\"name\":\"/CodeBuild/accessKeys\",\"notIncludedInAttacks\":false,\"organizationId\":\"o-wvjziar78j\",\"region\":\"us-east-1\",\"ruleDisplayName\":\"702947630755 / /CodeBuild/accessKeys\",\"ssmParameterDataType\":\"text\",\"ssmParameterKeyId\":\"alias/aws/ssm\",\"ssmParameterLastModifiedDate\":\"2020-07-19T09:53:58.629Z\",\"ssmParameterLastModifiedUser\":\"arn:aws:sts::702947630755:assumed-role/AWSReservedSSO_AdministratorAccess_4b70f7a69b186776/zur@xmcyber.com\",\"ssmParameterName\":\"/CodeBuild/accessKeys\",\"ssmParameterTier\":\"Standard\",\"ssmParameterType\":\"SecureString\",\"ssmParameterVersion\":1,\"status\":\"active\",\"type\":\"awsSsmParameter\",\"typeDisplayName\":\"AWS SSM Parameter\",\"useType\":\"Storage\",\"xmProviderAccount\":\"xm-test3\",\"xmUpdateTime\":\"2026-05-05T21:05:15.079Z\"}" + }, + "input": { + "type": "cel" + }, + "organization": { + "id": "o-wvjziar78j" + }, + "related": { + "hosts": [ + "arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "/CodeBuild/accessKeys" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "xm_cyber-entity_inventory" + ], + "xm_cyber": { + "entity_inventory": { + "arn": "arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "category": "Cloud", + "custom_properties": { + "domain_workgroup": { + "data": "AWS/702947630755", + "type": "domain" + }, + "ou_computer": "AWS/702947630755/us-east-1/SSM/ParameterMetadata", + "ou_user": "AWS/702947630755/SSM/ParameterMetadata", + "subnet_info": "AWS_702947630755_us-east-1" + }, + "disabled": false, + "display_name": "/CodeBuild/accessKeys", + "entity_details": { + "id": "awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys", + "name": "/CodeBuild/accessKeys", + "sub_type": "awsSsmParameter", + "sub_type_display_name": "AWS SSM Parameter" + }, + "entity_type": "AwsSsmParameterEntity", + "name": "/CodeBuild/accessKeys", + "not_included_in_attacks": false, + "rule_display_name": "702947630755 / /CodeBuild/accessKeys", + "ssm_parameter_data_type": "text", + "ssm_parameter_key_id": "alias/aws/ssm", + "ssm_parameter_last_modified_date": "2020-07-19T09:53:58.629Z", + "ssm_parameter_last_modified_user": "arn:aws:sts::702947630755:assumed-role/AWSReservedSSO_AdministratorAccess_4b70f7a69b186776/zur@xmcyber.com", + "ssm_parameter_name": "/CodeBuild/accessKeys", + "ssm_parameter_tier": "Standard", + "ssm_parameter_type": "SecureString", + "ssm_parameter_version": 1, + "status": "active", + "type": "awsSsmParameter", + "type_display_name": "AWS SSM Parameter", + "use_type": "Storage", + "xm_provider_account": "xm-test3" + } + } +} +``` + ### Inputs used These inputs can be used with this integration: @@ -410,7 +896,8 @@ These XM Cyber REST API endpoints are used by this integration: | `/api/refresh-token` | POST | all | Refresh an expired access token | | `/api/audit-trail/auditRecords` | GET | `audit_trail` | Audit Records | | `/api/v2/vrm/public/vulnerabilities` | GET | `vulnerabilities` | Paginated exposure rows (attack techniques / CVE context) | +| `/api/entityInventory/entities` | GET | `entity_inventory` | List entities (devices, identities, cloud resources) tracked by XM Cyber | ### ILM Policy -To facilitate vulnerability data stream-backed indices `.ds-logs-xm_cyber.vulnerability-*` is allowed to contain duplicates from each polling interval. ILM policies `logs-xm_cyber.vulnerability-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date. \ No newline at end of file +To facilitate vulnerability data stream-backed indices `.ds-logs-xm_cyber.vulnerability-*` is allowed to contain duplicates from each polling interval. ILM policies `logs-xm_cyber.vulnerability-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date. diff --git a/packages/xm_cyber/img/xm_cyber-entity_inventory.png b/packages/xm_cyber/img/xm_cyber-entity_inventory.png new file mode 100644 index 00000000000..14f914b234e Binary files /dev/null and b/packages/xm_cyber/img/xm_cyber-entity_inventory.png differ diff --git a/packages/xm_cyber/kibana/dashboard/xm_cyber-2170babe-e0a3-4289-a13b-fcb606f812a7.json b/packages/xm_cyber/kibana/dashboard/xm_cyber-2170babe-e0a3-4289-a13b-fcb606f812a7.json new file mode 100644 index 00000000000..bf95c530ce1 --- /dev/null +++ b/packages/xm_cyber/kibana/dashboard/xm_cyber-2170babe-e0a3-4289-a13b-fcb606f812a7.json @@ -0,0 +1,3886 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "1d58b1f7-2273-48a8-9eb5-f09422f763a3": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "xm_cyber.entity_inventory.is_public", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Is Public" + }, + "grow": false, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "4a239899-f798-43a3-9db3-0ad444a5ec2b": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "xm_cyber.entity_inventory.not_included_in_attacks", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Not Included in Attacks" + }, + "grow": false, + "order": 3, + "type": "optionsListControl", + "width": "medium" + }, + "7cade5b5-355a-4a5b-aab7-8fff05f0c6dd": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "xm_cyber.entity_inventory.disabled", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Disabled" + }, + "grow": false, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "aff6deba-9336-4909-aecf-04734a894bd1": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "xm_cyber.entity_inventory.is_highly_privileged", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Highly Privileged" + }, + "grow": false, + "order": 2, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "Overview of Entity Inventory events from XM Cyber.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Entity Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "xm_cyber.entity_inventory.entity_type" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "bb3a7283-ea62-4064-9658-9053f15ca540", + "w": 24, + "x": 0, + "y": 81 + }, + "panelIndex": "bb3a7283-ea62-4064-9658-9053f15ca540", + "title": "Entities by Entity Type", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Region", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cloud.region" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "13e9f5a9-a6f7-4539-a95c-a9fd5f3a3981", + "w": 24, + "x": 0, + "y": 96 + }, + "panelIndex": "13e9f5a9-a6f7-4539-a95c-a9fd5f3a3981", + "title": "Entities by Region", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Availability Zone", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cloud.availability_zone" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "ea12a2b9-6be5-41b3-b9fe-b2bbedbdaa07", + "w": 24, + "x": 24, + "y": 96 + }, + "panelIndex": "ea12a2b9-6be5-41b3-b9fe-b2bbedbdaa07", + "title": "Entities by Availability Zone", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "State", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "xm_cyber.entity_inventory.state" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "20eb9702-3c05-4cb2-8853-78f00d9cacee", + "w": 24, + "x": 0, + "y": 111 + }, + "panelIndex": "20eb9702-3c05-4cb2-8853-78f00d9cacee", + "title": "Entities by State", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Distribution", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.os.name" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "185ce4bf-18da-489a-a8ec-7d7861bb7206", + "w": 24, + "x": 24, + "y": 111 + }, + "panelIndex": "185ce4bf-18da-489a-a8ec-7d7861bb7206", + "title": "Entities by OS Distribution", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8a8f908b-2e4c-43f7-beda-c77288b433e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6a657533-e519-44e3-ba74-601d433057c5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8a8f908b-2e4c-43f7-beda-c77288b433e9": { + "columnOrder": [ + "1d5f607f-7c45-48e3-bca2-cee39c676128", + "e4628e63-a6e8-47d4-b2a6-227eef7b930d" + ], + "columns": { + "1d5f607f-7c45-48e3-bca2-cee39c676128": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e4628e63-a6e8-47d4-b2a6-227eef7b930d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "xm_cyber.entity_inventory.category" + }, + "e4628e63-a6e8-47d4-b2a6-227eef7b930d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6a657533-e519-44e3-ba74-601d433057c5", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8a8f908b-2e4c-43f7-beda-c77288b433e9", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "e4628e63-a6e8-47d4-b2a6-227eef7b930d" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "1d5f607f-7c45-48e3-bca2-cee39c676128" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "74dac700-d17e-4232-abe8-b6b37aa73cac", + "w": 13, + "x": 12, + "y": 0 + }, + "panelIndex": "74dac700-d17e-4232-abe8-b6b37aa73cac", + "title": "Entities by Category", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f7c1d5f7-3e11-44a2-bf3c-0a0c9f77ecae", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4eb87047-b28f-48f6-88ef-d88493f37183", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f7c1d5f7-3e11-44a2-bf3c-0a0c9f77ecae": { + "columnOrder": [ + "6e6bb160-8e88-4903-ab7a-e4db943cf07d", + "5dfd9ea3-0850-4830-abcb-f21dc71ef015" + ], + "columns": { + "5dfd9ea3-0850-4830-abcb-f21dc71ef015": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "6e6bb160-8e88-4903-ab7a-e4db943cf07d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "4eb87047-b28f-48f6-88ef-d88493f37183", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "5dfd9ea3-0850-4830-abcb-f21dc71ef015" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f7c1d5f7-3e11-44a2-bf3c-0a0c9f77ecae", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "6e6bb160-8e88-4903-ab7a-e4db943cf07d" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "8b5123ec-e5c1-4925-bb62-d7a98f968e93", + "w": 23, + "x": 25, + "y": 0 + }, + "panelIndex": "8b5123ec-e5c1-4925-bb62-d7a98f968e93", + "title": "Entities over Time", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Overview**\n\nThe XM Cyber Entity Inventory dashboard surfaces a single-pane view of every asset XM Cyber has discovered across your hybrid estate over time, with breakdowns by category, entity type, service type, region, and availability zone to highlight what kinds of assets exist and where they are distributed. Views of activity period, public exposure, status, state, architecture, and OS distribution, alongside a table of top domains, hostnames and host ips, users, help analysts quickly spot dormant or never-used identities, exposed surfaces, dominant OS footprints, and the busiest organisational tenants. Filters for public exposure, cloud provider, highly-privileged identities, and attack-simulation inclusion let teams pivot the dashboard to investigate specific cohorts, detect drift, and maintain ongoing inventory visibility across their XM Cyber environment.\n\n**[Integration Page](/app/integrations/detail/xm_cyber)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 27, + "i": "2622f103-270f-49f2-9aa0-6867dc793050", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "2622f103-270f-49f2-9aa0-6867dc793050", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2fe62e59-0b00-45d9-8760-6e57d256bfdc": { + "columnOrder": [ + "3149e739-439d-4c79-93e0-c4728fc2ebaf", + "7414f858-a33d-4c8e-9c72-cad19d02943c" + ], + "columns": { + "3149e739-439d-4c79-93e0-c4728fc2ebaf": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Activity Period", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7414f858-a33d-4c8e-9c72-cad19d02943c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "xm_cyber.entity_inventory.activity_period" + }, + "7414f858-a33d-4c8e-9c72-cad19d02943c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "7414f858-a33d-4c8e-9c72-cad19d02943c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3149e739-439d-4c79-93e0-c4728fc2ebaf" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 13, + "i": "fae43dda-11cf-4de9-9edf-477a15f2e3b3", + "w": 13, + "x": 12, + "y": 14 + }, + "panelIndex": "fae43dda-11cf-4de9-9edf-477a15f2e3b3", + "title": "Entities by Activity Period", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e57ae921-8147-4aa2-a68b-4308a74fac83", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2fe62e59-0b00-45d9-8760-6e57d256bfdc": { + "columnOrder": [ + "3149e739-439d-4c79-93e0-c4728fc2ebaf", + "7414f858-a33d-4c8e-9c72-cad19d02943c" + ], + "columns": { + "3149e739-439d-4c79-93e0-c4728fc2ebaf": { + "customLabel": true, + "dataType": "boolean", + "isBucketed": true, + "label": "Public Exposure", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7414f858-a33d-4c8e-9c72-cad19d02943c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "xm_cyber.entity_inventory.is_public" + }, + "7414f858-a33d-4c8e-9c72-cad19d02943c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e57ae921-8147-4aa2-a68b-4308a74fac83", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "7414f858-a33d-4c8e-9c72-cad19d02943c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3149e739-439d-4c79-93e0-c4728fc2ebaf" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 13, + "i": "f7375387-d8f3-4ea4-b0b2-1477a308e136", + "w": 12, + "x": 25, + "y": 14 + }, + "panelIndex": "f7375387-d8f3-4ea4-b0b2-1477a308e136", + "title": "Entities by Public Exposure", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2fe62e59-0b00-45d9-8760-6e57d256bfdc": { + "columnOrder": [ + "3149e739-439d-4c79-93e0-c4728fc2ebaf", + "7414f858-a33d-4c8e-9c72-cad19d02943c" + ], + "columns": { + "3149e739-439d-4c79-93e0-c4728fc2ebaf": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Family", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7414f858-a33d-4c8e-9c72-cad19d02943c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.family" + }, + "7414f858-a33d-4c8e-9c72-cad19d02943c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "7414f858-a33d-4c8e-9c72-cad19d02943c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3149e739-439d-4c79-93e0-c4728fc2ebaf" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 13, + "i": "92ef1d7f-491c-43be-9dab-9e684ec1f69c", + "w": 11, + "x": 37, + "y": 14 + }, + "panelIndex": "92ef1d7f-491c-43be-9dab-9e684ec1f69c", + "title": "Entities by OS Family", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.domain" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + }, + { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + } + ], + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "99d278cd-ff92-483e-bfcd-fe2b17321ed2", + "w": 19, + "x": 29, + "y": 27 + }, + "panelIndex": "99d278cd-ff92-483e-bfcd-fe2b17321ed2", + "title": "Top Domains", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Status", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "xm_cyber.entity_inventory.status" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "091b5bed-f434-4eea-ade2-3d9d1bfbe6c6", + "w": 15, + "x": 14, + "y": 27 + }, + "panelIndex": "091b5bed-f434-4eea-ade2-3d9d1bfbe6c6", + "title": "Entities by Status", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Architecture", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.architecture" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "0f921e10-e65b-4283-8dff-91a157e0ee5b", + "w": 14, + "x": 0, + "y": 27 + }, + "panelIndex": "0f921e10-e65b-4283-8dff-91a157e0ee5b", + "title": "Entities by Architecture", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9d166986-e00a-4c2d-8e95-cf0ad8d60c7c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8e03cc6b-9f08-40fb-bc03-fd14cfa95da3": { + "columnOrder": [ + "adae3235-5409-454a-87ab-2512369ae62c", + "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652" + ], + "columns": { + "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "adae3235-5409-454a-87ab-2512369ae62c": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Host IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9d166986-e00a-4c2d-8e95-cf0ad8d60c7c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "adae3235-5409-454a-87ab-2512369ae62c", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "2f4c98fe-43a6-4bd9-b308-a598ecc04c1d", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "2f4c98fe-43a6-4bd9-b308-a598ecc04c1d", + "title": "Top Host IPs", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "8e03cc6b-9f08-40fb-bc03-fd14cfa95da3": { + "columnOrder": [ + "adae3235-5409-454a-87ab-2512369ae62c", + "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652" + ], + "columns": { + "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "adae3235-5409-454a-87ab-2512369ae62c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "adae3235-5409-454a-87ab-2512369ae62c", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "35ca3ca4-978e-481c-8a3a-80e3cb2bc605", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "35ca3ca4-978e-481c-8a3a-80e3cb2bc605", + "title": "Top Hostnames", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "8e03cc6b-9f08-40fb-bc03-fd14cfa95da3": { + "columnOrder": [ + "adae3235-5409-454a-87ab-2512369ae62c", + "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652" + ], + "columns": { + "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "adae3235-5409-454a-87ab-2512369ae62c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "51c2d38c-0d2d-4411-8bc0-ae8ee47c3652", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "adae3235-5409-454a-87ab-2512369ae62c", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "c1c646c1-2428-444f-8bdd-a7ddadd890e9", + "w": 24, + "x": 0, + "y": 63 + }, + "panelIndex": "c1c646c1-2428-444f-8bdd-a7ddadd890e9", + "title": "Top Users", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Service Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "service.type" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "78f84fae-4566-40f5-8241-747ea3a34081", + "w": 24, + "x": 24, + "y": 81 + }, + "panelIndex": "78f84fae-4566-40f5-8241-747ea3a34081", + "title": "Entities by Service Type", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "939033bc-4e51-4ec8-abb1-72c230de7fce": { + "columnOrder": [ + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74", + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "columns": { + "2ac7985a-b6f4-42ee-a06b-55ade77e1d74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "xm_cyber.entity_inventory.type_display_name" + }, + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "44f60f5a-8f12-4c0a-a6e2-bf46309b5d13" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "939033bc-4e51-4ec8-abb1-72c230de7fce", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "2ac7985a-b6f4-42ee-a06b-55ade77e1d74" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "xm_cyber.entity_inventory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "xm_cyber.entity_inventory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "3305f6da-f3cb-4760-be53-07fd632d09ff", + "w": 24, + "x": 24, + "y": 63 + }, + "panelIndex": "3305f6da-f3cb-4760-be53-07fd632d09ff", + "title": "Entities by Type", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs XM Cyber] Entity Inventory", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-05-11T05:35:04.941Z", + "id": "xm_cyber-2170babe-e0a3-4289-a13b-fcb606f812a7", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bb3a7283-ea62-4064-9658-9053f15ca540:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13e9f5a9-a6f7-4539-a95c-a9fd5f3a3981:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ea12a2b9-6be5-41b3-b9fe-b2bbedbdaa07:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "20eb9702-3c05-4cb2-8853-78f00d9cacee:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "185ce4bf-18da-489a-a8ec-7d7861bb7206:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "74dac700-d17e-4232-abe8-b6b37aa73cac:indexpattern-datasource-layer-8a8f908b-2e4c-43f7-beda-c77288b433e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "74dac700-d17e-4232-abe8-b6b37aa73cac:6a657533-e519-44e3-ba74-601d433057c5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8b5123ec-e5c1-4925-bb62-d7a98f968e93:indexpattern-datasource-layer-f7c1d5f7-3e11-44a2-bf3c-0a0c9f77ecae", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8b5123ec-e5c1-4925-bb62-d7a98f968e93:4eb87047-b28f-48f6-88ef-d88493f37183", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fae43dda-11cf-4de9-9edf-477a15f2e3b3:indexpattern-datasource-layer-2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f7375387-d8f3-4ea4-b0b2-1477a308e136:indexpattern-datasource-layer-2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f7375387-d8f3-4ea4-b0b2-1477a308e136:e57ae921-8147-4aa2-a68b-4308a74fac83", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "92ef1d7f-491c-43be-9dab-9e684ec1f69c:indexpattern-datasource-layer-2fe62e59-0b00-45d9-8760-6e57d256bfdc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "99d278cd-ff92-483e-bfcd-fe2b17321ed2:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "091b5bed-f434-4eea-ade2-3d9d1bfbe6c6:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0f921e10-e65b-4283-8dff-91a157e0ee5b:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2f4c98fe-43a6-4bd9-b308-a598ecc04c1d:indexpattern-datasource-layer-8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2f4c98fe-43a6-4bd9-b308-a598ecc04c1d:9d166986-e00a-4c2d-8e95-cf0ad8d60c7c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "35ca3ca4-978e-481c-8a3a-80e3cb2bc605:indexpattern-datasource-layer-8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c1c646c1-2428-444f-8bdd-a7ddadd890e9:indexpattern-datasource-layer-8e03cc6b-9f08-40fb-bc03-fd14cfa95da3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "78f84fae-4566-40f5-8241-747ea3a34081:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3305f6da-f3cb-4760-be53-07fd632d09ff:indexpattern-datasource-layer-939033bc-4e51-4ec8-abb1-72c230de7fce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_1d58b1f7-2273-48a8-9eb5-f09422f763a3:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_7cade5b5-355a-4a5b-aab7-8fff05f0c6dd:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_aff6deba-9336-4909-aecf-04734a894bd1:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_4a239899-f798-43a3-9db3-0ad444a5ec2b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/xm_cyber/manifest.yml b/packages/xm_cyber/manifest.yml index 0ab92d8deda..353ad41f6ae 100644 --- a/packages/xm_cyber/manifest.yml +++ b/packages/xm_cyber/manifest.yml @@ -20,6 +20,10 @@ screenshots: title: Vulnerability Dashboard size: 600x600 type: image/png + - src: /img/xm_cyber-entity_inventory.png + title: Entity Inventory Dashboard + size: 600x600 + type: image/png icons: - src: /img/xm_cyber-logo.svg title: XM Cyber logo