diff --git a/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log new file mode 100644 index 00000000000..b54d54a0703 --- /dev/null +++ b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log @@ -0,0 +1,4 @@ +{"BotScore":20,"BotScoreSrc":"Verified Bot","CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":15169,"ClientCountry":"us","ClientDeviceType":"desktop","ClientIP":"89.160.20.156","ClientIPClass":"noRecord","ClientRequestBytes":2577,"ClientRequestHost":"cf-analytics.com","ClientRequestMethod":"POST","ClientRequestPath":"/wp-cron.php","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000","ClientRequestURI":"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000","ClientRequestUserAgent":"WordPress/5.2.2;https://cf-analytics.com","ClientSSLCipher":"ECDHE-ECDSA-AES128-GCM-SHA256","ClientSSLProtocol":"TLSv1.2","ClientSrcPort":55028,"EdgeColoID":14,"EdgeEndTimestamp":"2019-08-02T15:29:08Z","EdgePathingOp":"ban","EdgePathingSrc":"filter_based_firewall","EdgePathingStatus":"captchaNew","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"","EdgeResponseBytes":2848,"EdgeResponseCompressionRatio":2.64,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":"2019-08-02T15:29:08Z","FirewallMatchesActions":["simulate","challenge"],"FirewallMatchesSources":["firewallRules","firewallRules"],"FirewallMatchesRuleIDs":["094b71fea25d4860a61fa0c6fbbd8d8b","e454fd4a0ce546b3a9a462536613692c"],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"500115ec386354d8","SecurityLevel":"med","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":155978002} +{"BotScore":1,"BotScoreSrc":"Heuristics","CacheCacheStatus":"hit","CacheResponseBytes":26888,"CacheResponseStatus":200,"CacheTieredFill":true,"ClientASN":1136,"ClientCountry":"nl","ClientDeviceType":"desktop","ClientIP":"89.160.20.156","ClientIPClass":"noRecord","ClientRequestBytes":5324,"ClientRequestHost":"eqlplayground.io","ClientRequestMethod":"GET","ClientRequestPath":"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))&timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))&timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)","ClientRequestURI":"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js","ClientRequestUserAgent":"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":0,"ClientXRequestedWith":"","EdgeColoCode":"33.147.138.217","EdgeColoID":20,"EdgeEndTimestamp":1625752958875000000,"EdgePathingOp":"wl","EdgePathingSrc":"macro","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"eqlplayground.io","EdgeResponseBytes":24743,"EdgeResponseCompressionRatio":0,"EdgeResponseContentType":"application/javascript","EdgeResponseStatus":200,"EdgeServerIP":"89.160.20.156","EdgeStartTimestamp":1625752958812000000,"FirewallMatchesActions":[],"FirewallMatchesRuleIDs":[],"FirewallMatchesSources":[],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"66b9d9f88b5b4c4f","RayID":"66b9d9f890ae4c4f","SecurityLevel":"off","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":true,"WorkerSubrequestCount":0,"ZoneID":393347122} +{"BotScore":1,"BotScoreSrc":"Heuristics","CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":1136,"ClientCountry":"nl","ClientDeviceType":"desktop","ClientIP":"89.160.20.156","ClientIPClass":"noRecord","ClientRequestBytes":2520,"ClientRequestHost":"eqlplayground.io","ClientRequestMethod":"GET","ClientRequestPath":"/s/eqldemo/security/account","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"","ClientRequestURI":"/s/eqldemo/security/account","ClientRequestUserAgent":"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36","ClientSSLCipher":"AEAD-AES128-GCM-SHA256","ClientSSLProtocol":"TLSv1.3","ClientSrcPort":61593,"ClientXRequestedWith":"","EdgeColoCode":"AMS","EdgeColoID":20,"EdgeEndTimestamp":1625754264684000000,"EdgePathingOp":"ban","EdgePathingSrc":"filter_based_firewall","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"183.53.30.34","EdgeResponseBytes":2066,"EdgeResponseCompressionRatio":2.45,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":1625754264676000000,"FirewallMatchesActions":["block"],"FirewallMatchesRuleIDs":["391eb601201e4f2a81038910f2b63f6d"],"FirewallMatchesSources":["firewallRules"],"OriginIP":"89.160.20.156","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"66b9f9da396e4c01","SecurityLevel":"unk","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":393347122} +{"BotScore":1,"BotScoreSrc":"Heuristics","CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":1136,"ClientCountry":"nl","ClientDeviceType":"desktop","ClientIP":"89.160.20.156","ClientIPClass":"noRecord","ClientRequestBytes":2520,"ClientRequestHost":"eqlplayground.io","ClientRequestMethod":"GET","ClientRequestPath":"/s/eqldemo/security/account","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"","ClientRequestURI":"/s/eqldemo/security/account","ClientRequestUserAgent":"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36","ClientSSLCipher":"AEAD-AES128-GCM-SHA256","ClientSSLProtocol":"TLSv1.3","ClientSrcPort":61593,"ClientXRequestedWith":"","EdgeColoCode":"AMS","EdgeColoID":20,"EdgeEndTimestamp":1625754264,"EdgePathingOp":"ban","EdgePathingSrc":"filter_based_firewall","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"183.53.30.34","EdgeResponseBytes":2066,"EdgeResponseCompressionRatio":2.45,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":1625754264,"FirewallMatchesActions":["block"],"FirewallMatchesRuleIDs":["391eb601201e4f2a81038910f2b63f6d"],"FirewallMatchesSources":["firewallRules"],"OriginIP":"89.160.20.156","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"66b9f9da396e4c01","SecurityLevel":"unk","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":393347122} diff --git a/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json new file mode 100644 index 00000000000..4c87e048b3d --- /dev/null +++ b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json @@ -0,0 +1,825 @@ +{ + "expected": [ + { + "@timestamp": "2019-08-02T15:29:08.000Z", + "client": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2577, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 55028 + }, + "cloudflare": { + "bot": { + "score": { + "src": "Verified Bot", + "value": 20 + } + }, + "cache": { + "status": "unknown", + "tiered_fill": false + }, + "client": { + "ip_class": "noRecord", + "ssl": { + "protocol": "TLSv1.2" + } + }, + "device_type": "desktop", + "edge": { + "colo": { + "id": 14 + }, + "pathing": { + "op": "ban", + "src": "filter_based_firewall", + "status": "captchaNew" + }, + "rate_limit": { + "id": 0 + }, + "response": { + "bytes": 2848, + "compression_ratio": 2.64, + "content_type": "text/html", + "status_code": 403 + } + }, + "firewall": { + "actions": [ + "simulate", + "challenge" + ], + "rule_ids": [ + "094b71fea25d4860a61fa0c6fbbd8d8b", + "e454fd4a0ce546b3a9a462536613692c" + ], + "sources": [ + "firewallRules", + "firewallRules" + ] + }, + "origin": { + "response": { + "bytes": 0, + "status_code": 0, + "time": 0 + }, + "ssl": { + "protocol": "unknown" + } + }, + "parent": { + "ray_id": "00" + }, + "ray_id": "500115ec386354d8", + "security_level": "med", + "waf": { + "action": "unknown", + "flags": "0", + "profile": "unknown" + }, + "worker": { + "cpu_time": 0, + "status": "unknown", + "subrequest": false, + "subrequest_count": 0 + }, + "zone": { + "id": 155978002 + } + }, + "destination": { + "bytes": 2848 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": [ + "simulate", + "challenge" + ], + "category": [ + "network" + ], + "duration": 0, + "end": "2019-08-02T15:29:08.000Z", + "kind": "event", + "original": "{\"BotScore\":20,\"BotScoreSrc\":\"Verified Bot\",\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"ban\",\"EdgePathingSrc\":\"filter_based_firewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}", + "start": "2019-08-02T15:29:08.000Z" + }, + "http": { + "request": { + "bytes": 2577, + "method": "POST", + "referrer": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000" + }, + "response": { + "bytes": 2848, + "status_code": 403 + }, + "version": "1.1" + }, + "network": { + "bytes": 5425, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "type": "proxy", + "vendor": "cloudflare" + }, + "server": { + "bytes": 2848 + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2577, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 55028 + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", + "version": "1.2", + "version_protocol": "tls" + }, + "url": { + "domain": "cf-analytics.com", + "extension": "php", + "full": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", + "original": "/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", + "path": "/wp-cron.php", + "query": "doing_wp_cron=1564759748.3962020874023437500000", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "WordPress", + "original": "WordPress/5.2.2;https://cf-analytics.com", + "version": "5.2.2" + } + }, + { + "@timestamp": "2021-07-08T14:02:38.812Z", + "client": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 5324, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 0 + }, + "cloudflare": { + "bot": { + "score": { + "src": "Heuristics", + "value": 1 + } + }, + "cache": { + "bytes": 26888, + "status": "hit", + "status_code": 200, + "tiered_fill": true + }, + "client": { + "ip_class": "noRecord" + }, + "device_type": "desktop", + "edge": { + "colo": { + "code": "33.147.138.217", + "id": 20 + }, + "pathing": { + "op": "wl", + "src": "macro", + "status": "nr" + }, + "rate_limit": { + "id": 0 + }, + "request": { + "host": "eqlplayground.io" + }, + "response": { + "bytes": 24743, + "compression_ratio": 0, + "content_type": "application/javascript", + "status_code": 200 + } + }, + "origin": { + "response": { + "bytes": 0, + "status_code": 0, + "time": 0 + }, + "ssl": { + "protocol": "unknown" + } + }, + "parent": { + "ray_id": "66b9d9f88b5b4c4f" + }, + "ray_id": "66b9d9f890ae4c4f", + "security_level": "off", + "waf": { + "action": "unknown", + "flags": "0", + "profile": "unknown" + }, + "worker": { + "cpu_time": 0, + "status": "unknown", + "subrequest": true, + "subrequest_count": 0 + }, + "zone": { + "id": 393347122 + } + }, + "destination": { + "bytes": 24743 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 63000000, + "end": "2021-07-08T14:02:38.875Z", + "kind": "event", + "original": "{\"BotScore\":1,\"BotScoreSrc\":\"Heuristics\",\"CacheCacheStatus\":\"hit\",\"CacheResponseBytes\":26888,\"CacheResponseStatus\":200,\"CacheTieredFill\":true,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":5324,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))&timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))&timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)\",\"ClientRequestURI\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"none\",\"ClientSrcPort\":0,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"33.147.138.217\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625752958875000000,\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"eqlplayground.io\",\"EdgeResponseBytes\":24743,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/javascript\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"89.160.20.156\",\"EdgeStartTimestamp\":1625752958812000000,\"FirewallMatchesActions\":[],\"FirewallMatchesRuleIDs\":[],\"FirewallMatchesSources\":[],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"66b9d9f88b5b4c4f\",\"RayID\":\"66b9d9f890ae4c4f\",\"SecurityLevel\":\"off\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", + "start": "2021-07-08T14:02:38.812Z" + }, + "http": { + "request": { + "bytes": 5324, + "method": "GET", + "referrer": "https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))&timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))&timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)" + }, + "response": { + "bytes": 24743, + "status_code": 200 + }, + "version": "1.1" + }, + "network": { + "bytes": 30067, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": [ + "89.160.20.156" + ], + "type": "proxy", + "vendor": "cloudflare" + }, + "server": { + "bytes": 24743 + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 5324, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 0 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "eqlplayground.io", + "extension": "js", + "full": "http://eqlplayground.io/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js", + "original": "/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js", + "path": "/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js", + "scheme": "http" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36", + "os": { + "full": "Windows $1", + "name": "Windows", + "version": "$1" + }, + "version": "91.0.4472.124" + } + }, + { + "@timestamp": "2021-07-08T14:24:24.676Z", + "client": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2520, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 61593 + }, + "cloudflare": { + "bot": { + "score": { + "src": "Heuristics", + "value": 1 + } + }, + "cache": { + "status": "unknown", + "tiered_fill": false + }, + "client": { + "ip_class": "noRecord", + "ssl": { + "protocol": "TLSv1.3" + } + }, + "device_type": "desktop", + "edge": { + "colo": { + "code": "AMS", + "id": 20 + }, + "pathing": { + "op": "ban", + "src": "filter_based_firewall", + "status": "nr" + }, + "rate_limit": { + "id": 0 + }, + "request": { + "host": "183.53.30.34" + }, + "response": { + "bytes": 2066, + "compression_ratio": 2.45, + "content_type": "text/html", + "status_code": 403 + } + }, + "firewall": { + "actions": [ + "block" + ], + "rule_ids": [ + "391eb601201e4f2a81038910f2b63f6d" + ], + "sources": [ + "firewallRules" + ] + }, + "origin": { + "response": { + "bytes": 0, + "status_code": 0, + "time": 0 + }, + "ssl": { + "protocol": "unknown" + } + }, + "parent": { + "ray_id": "00" + }, + "ray_id": "66b9f9da396e4c01", + "security_level": "unk", + "waf": { + "action": "unknown", + "flags": "0", + "profile": "unknown" + }, + "worker": { + "cpu_time": 0, + "status": "unknown", + "subrequest": false, + "subrequest_count": 0 + }, + "zone": { + "id": 393347122 + } + }, + "destination": { + "address": "89.160.20.156", + "bytes": 2066, + "ip": "89.160.20.156" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": [ + "block" + ], + "category": [ + "network" + ], + "duration": 8000000, + "end": "2021-07-08T14:24:24.684Z", + "kind": "event", + "original": "{\"BotScore\":1,\"BotScoreSrc\":\"Heuristics\",\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2520,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/s/eqldemo/security/account\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"\",\"ClientRequestURI\":\"/s/eqldemo/security/account\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"AEAD-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.3\",\"ClientSrcPort\":61593,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"AMS\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625754264684000000,\"EdgePathingOp\":\"ban\",\"EdgePathingSrc\":\"filter_based_firewall\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"183.53.30.34\",\"EdgeResponseBytes\":2066,\"EdgeResponseCompressionRatio\":2.45,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":1625754264676000000,\"FirewallMatchesActions\":[\"block\"],\"FirewallMatchesRuleIDs\":[\"391eb601201e4f2a81038910f2b63f6d\"],\"FirewallMatchesSources\":[\"firewallRules\"],\"OriginIP\":\"89.160.20.156\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"66b9f9da396e4c01\",\"SecurityLevel\":\"unk\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", + "start": "2021-07-08T14:24:24.676Z", + "type": [ + "denied" + ] + }, + "http": { + "request": { + "bytes": 2520, + "method": "GET" + }, + "response": { + "bytes": 2066, + "status_code": 403 + }, + "version": "2" + }, + "network": { + "bytes": 4586, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "type": "proxy", + "vendor": "cloudflare" + }, + "server": { + "address": "89.160.20.156", + "bytes": 2066, + "ip": "89.160.20.156" + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2520, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 61593 + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "AEAD-AES128-GCM-SHA256", + "version": "1.3", + "version_protocol": "tls" + }, + "url": { + "domain": "eqlplayground.io", + "full": "https://eqlplayground.io/s/eqldemo/security/account", + "original": "/s/eqldemo/security/account", + "path": "/s/eqldemo/security/account", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36", + "os": { + "full": "Windows $1", + "name": "Windows", + "version": "$1" + }, + "version": "91.0.4472.124" + } + }, + { + "@timestamp": "2021-07-08T14:24:24.000Z", + "client": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2520, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 61593 + }, + "cloudflare": { + "bot": { + "score": { + "src": "Heuristics", + "value": 1 + } + }, + "cache": { + "status": "unknown", + "tiered_fill": false + }, + "client": { + "ip_class": "noRecord", + "ssl": { + "protocol": "TLSv1.3" + } + }, + "device_type": "desktop", + "edge": { + "colo": { + "code": "AMS", + "id": 20 + }, + "pathing": { + "op": "ban", + "src": "filter_based_firewall", + "status": "nr" + }, + "rate_limit": { + "id": 0 + }, + "request": { + "host": "183.53.30.34" + }, + "response": { + "bytes": 2066, + "compression_ratio": 2.45, + "content_type": "text/html", + "status_code": 403 + } + }, + "firewall": { + "actions": [ + "block" + ], + "rule_ids": [ + "391eb601201e4f2a81038910f2b63f6d" + ], + "sources": [ + "firewallRules" + ] + }, + "origin": { + "response": { + "bytes": 0, + "status_code": 0, + "time": 0 + }, + "ssl": { + "protocol": "unknown" + } + }, + "parent": { + "ray_id": "00" + }, + "ray_id": "66b9f9da396e4c01", + "security_level": "unk", + "waf": { + "action": "unknown", + "flags": "0", + "profile": "unknown" + }, + "worker": { + "cpu_time": 0, + "status": "unknown", + "subrequest": false, + "subrequest_count": 0 + }, + "zone": { + "id": 393347122 + } + }, + "destination": { + "address": "89.160.20.156", + "bytes": 2066, + "ip": "89.160.20.156" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": [ + "block" + ], + "category": [ + "network" + ], + "duration": 0, + "end": "2021-07-08T14:24:24.000Z", + "kind": "event", + "original": "{\"BotScore\":1,\"BotScoreSrc\":\"Heuristics\",\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2520,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/s/eqldemo/security/account\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"\",\"ClientRequestURI\":\"/s/eqldemo/security/account\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"AEAD-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.3\",\"ClientSrcPort\":61593,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"AMS\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625754264,\"EdgePathingOp\":\"ban\",\"EdgePathingSrc\":\"filter_based_firewall\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"183.53.30.34\",\"EdgeResponseBytes\":2066,\"EdgeResponseCompressionRatio\":2.45,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":1625754264,\"FirewallMatchesActions\":[\"block\"],\"FirewallMatchesRuleIDs\":[\"391eb601201e4f2a81038910f2b63f6d\"],\"FirewallMatchesSources\":[\"firewallRules\"],\"OriginIP\":\"89.160.20.156\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"66b9f9da396e4c01\",\"SecurityLevel\":\"unk\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", + "start": "2021-07-08T14:24:24.000Z", + "type": [ + "denied" + ] + }, + "http": { + "request": { + "bytes": 2520, + "method": "GET" + }, + "response": { + "bytes": 2066, + "status_code": 403 + }, + "version": "2" + }, + "network": { + "bytes": 4586, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "type": "proxy", + "vendor": "cloudflare" + }, + "server": { + "address": "89.160.20.156", + "bytes": 2066, + "ip": "89.160.20.156" + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 2520, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 61593 + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "AEAD-AES128-GCM-SHA256", + "version": "1.3", + "version_protocol": "tls" + }, + "url": { + "domain": "eqlplayground.io", + "full": "https://eqlplayground.io/s/eqldemo/security/account", + "original": "/s/eqldemo/security/account", + "path": "/s/eqldemo/security/account", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36", + "os": { + "full": "Windows $1", + "name": "Windows", + "version": "$1" + }, + "version": "91.0.4472.124" + } + } + ] +} \ No newline at end of file