{ "name": "abnormal_security", "title": "Abnormal AI", "version": "1.14.0", "release": "ga", "description": "Collect logs from Abnormal AI with Elastic Agent.", "type": "integration", "download": "/epr/abnormal_security/abnormal_security-1.14.0.zip", "path": "/package/abnormal_security/1.14.0", "icons": [ { "src": "/img/abnormal-security-logo.svg", "path": "/package/abnormal_security/1.14.0/img/abnormal-security-logo.svg", "title": "Abnormal AI Logo", "size": "32x32", "type": "image/svg+xml" }, { "src": "/img/abnormal-security-logo-dark.svg", "path": "/package/abnormal_security/1.14.0/img/abnormal-security-logo-dark.svg", "title": "Abnormal AI Logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.2 || ^9.1.2" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "email_security", "threat_intel" ], "signature_path": "/epr/abnormal_security/abnormal_security-1.14.0.zip.sig", "format_version": "3.3.2", "readme": "/package/abnormal_security/1.14.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/abnormal_security-ai_security_mailbox_overview.png", "path": "/package/abnormal_security/1.14.0/img/abnormal_security-ai_security_mailbox_overview.png", "title": "AI Security Mailbox Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/abnormal_security-mailbox_not_analyzed_overview.png", "path": "/package/abnormal_security/1.14.0/img/abnormal_security-mailbox_not_analyzed_overview.png", "title": "AI Security Mailbox Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/abnormal_security-audit_overview.png", "path": "/package/abnormal_security/1.14.0/img/abnormal_security-audit_overview.png", "title": "Audit Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/abnormal_security-case_overview.png", "path": "/package/abnormal_security/1.14.0/img/abnormal_security-case_overview.png", "title": "Case Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/abnormal_security-threat_overview.png", "path": "/package/abnormal_security/1.14.0/img/abnormal_security-threat_overview.png", "title": "Threat Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/abnormal_security-vendor_case_overview.png", "path": "/package/abnormal_security/1.14.0/img/abnormal_security-vendor_case_overview.png", "title": "Vendor Case Overview Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/abnormal_security/1.14.0/LICENSE.txt", "/package/abnormal_security/1.14.0/changelog.yml", "/package/abnormal_security/1.14.0/manifest.yml", "/package/abnormal_security/1.14.0/validation.yml", "/package/abnormal_security/1.14.0/docs/README.md", "/package/abnormal_security/1.14.0/img/abnormal-security-logo-dark.svg", "/package/abnormal_security/1.14.0/img/abnormal-security-logo.svg", "/package/abnormal_security/1.14.0/img/abnormal_security-ai_security_mailbox_overview.png", "/package/abnormal_security/1.14.0/img/abnormal_security-audit_overview.png", "/package/abnormal_security/1.14.0/img/abnormal_security-case_overview.png", "/package/abnormal_security/1.14.0/img/abnormal_security-mailbox_not_analyzed_overview.png", "/package/abnormal_security/1.14.0/img/abnormal_security-threat_overview.png", "/package/abnormal_security/1.14.0/img/abnormal_security-vendor_case_overview.png", "/package/abnormal_security/1.14.0/kibana/tags.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox/manifest.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox/sample_event.json", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox_not_analyzed/manifest.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox_not_analyzed/sample_event.json", "/package/abnormal_security/1.14.0/data_stream/audit/manifest.yml", "/package/abnormal_security/1.14.0/data_stream/audit/sample_event.json", "/package/abnormal_security/1.14.0/data_stream/case/manifest.yml", "/package/abnormal_security/1.14.0/data_stream/case/sample_event.json", "/package/abnormal_security/1.14.0/data_stream/threat/manifest.yml", "/package/abnormal_security/1.14.0/data_stream/threat/sample_event.json", "/package/abnormal_security/1.14.0/data_stream/vendor_case/manifest.yml", "/package/abnormal_security/1.14.0/data_stream/vendor_case/sample_event.json", "/package/abnormal_security/1.14.0/kibana/dashboard/abnormal_security-37ed5d19-c753-43a0-b0a2-f8e6437ddfe5.json", "/package/abnormal_security/1.14.0/kibana/dashboard/abnormal_security-6a8e53ac-7759-4564-bcd6-03c6a9792eac.json", "/package/abnormal_security/1.14.0/kibana/dashboard/abnormal_security-7997c0a4-da55-4090-b24f-586dbd19aff4.json", "/package/abnormal_security/1.14.0/kibana/dashboard/abnormal_security-a0e8aab9-b870-4903-a966-7195fd6cee9c.json", "/package/abnormal_security/1.14.0/kibana/dashboard/abnormal_security-a4364503-ada3-4fe6-a054-d152accf207c.json", "/package/abnormal_security/1.14.0/kibana/dashboard/abnormal_security-f6562262-e429-470d-af45-4c80afdcf664.json", "/package/abnormal_security/1.14.0/kibana/search/abnormal_security-5a32aa45-1ea0-4b68-9c06-53425f4e2deb.json", "/package/abnormal_security/1.14.0/kibana/search/abnormal_security-a2d86921-d69f-4f99-a9eb-88a7ba0b2923.json", "/package/abnormal_security/1.14.0/kibana/search/abnormal_security-b154b107-1350-48fe-b50e-d5427c5169ff.json", "/package/abnormal_security/1.14.0/kibana/search/abnormal_security-e34b2986-68c2-4de9-8601-7bdefab429bc.json", "/package/abnormal_security/1.14.0/kibana/search/abnormal_security-ecec7bf6-c7a6-4fb4-8054-863c5a1a666e.json", "/package/abnormal_security/1.14.0/kibana/search/abnormal_security-f9b16544-6009-42fa-b569-ff029cc5c019.json", "/package/abnormal_security/1.14.0/kibana/tag/abnormal_security-1c95de21-1f0d-4245-bdc6-3cf701a1743f.json", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox/fields/base-fields.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox/fields/beats.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox/fields/fields.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox_not_analyzed/fields/base-fields.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox_not_analyzed/fields/beats.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox_not_analyzed/fields/fields.yml", "/package/abnormal_security/1.14.0/data_stream/audit/fields/base-fields.yml", "/package/abnormal_security/1.14.0/data_stream/audit/fields/beats.yml", "/package/abnormal_security/1.14.0/data_stream/audit/fields/fields.yml", "/package/abnormal_security/1.14.0/data_stream/case/fields/base-fields.yml", "/package/abnormal_security/1.14.0/data_stream/case/fields/beats.yml", "/package/abnormal_security/1.14.0/data_stream/case/fields/fields.yml", "/package/abnormal_security/1.14.0/data_stream/threat/fields/base-fields.yml", "/package/abnormal_security/1.14.0/data_stream/threat/fields/beats.yml", "/package/abnormal_security/1.14.0/data_stream/threat/fields/fields.yml", "/package/abnormal_security/1.14.0/data_stream/vendor_case/fields/base-fields.yml", "/package/abnormal_security/1.14.0/data_stream/vendor_case/fields/beats.yml", "/package/abnormal_security/1.14.0/data_stream/vendor_case/fields/fields.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox/agent/stream/cel.yml.hbs", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox_not_analyzed/agent/stream/cel.yml.hbs", "/package/abnormal_security/1.14.0/data_stream/ai_security_mailbox_not_analyzed/elasticsearch/ingest_pipeline/default.yml", "/package/abnormal_security/1.14.0/data_stream/audit/agent/stream/cel.yml.hbs", "/package/abnormal_security/1.14.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/abnormal_security/1.14.0/data_stream/case/agent/stream/cel.yml.hbs", "/package/abnormal_security/1.14.0/data_stream/case/elasticsearch/ingest_pipeline/default.yml", "/package/abnormal_security/1.14.0/data_stream/threat/agent/stream/cel.yml.hbs", "/package/abnormal_security/1.14.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml", "/package/abnormal_security/1.14.0/data_stream/vendor_case/agent/stream/cel.yml.hbs", "/package/abnormal_security/1.14.0/data_stream/vendor_case/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "abnormal_security", "title": "Abnormal AI logs", "description": "Collect Abnormal AI logs.", "inputs": [ { "type": "cel", "vars": [ { "name": "url", "type": "url", "title": "URL", "description": "By default, the URL is set to `https://api.abnormalplatform.com`. We have observed that Abnormal AI Base URL changes based on location so find your own base URL.", "multi": false, "required": true, "show_user": true, "default": "https://api.abnormalplatform.com" }, { "name": "access_token", "type": "password", "title": "Access Token", "description": "Access Token used to authenticate the requests.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Abnormal AI logs via API", "description": "Collecting Abnormal AI logs via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "abnormal_security.ai_security_mailbox", "title": "AI Security Mailbox logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the AI Security Mailbox logs from Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "page_size", "type": "text", "title": "Page Size", "description": "Page size for the response of the Abnormal AI API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "scanning_timeout", "type": "text", "title": "Scanning Item Timeout", "description": "How long to retry items with a Scanning judgement status before publishing them as-is. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": false, "default": "168h" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "abnormal_security-ai_security_mailbox" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve abnormal_security.ai_security_mailbox fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "AI Security Mailbox Logs", "description": "Collecting AI Security Mailbox logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "abnormal_security", "path": "ai_security_mailbox" }, { "type": "logs", "dataset": "abnormal_security.ai_security_mailbox_not_analyzed", "title": "AI Security Mailbox Not Analyzed", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the AI Security Mailbox Not Analyzed messages from Abnormal AI API. Defaults to 90 days (2160h) before end. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "2160h" }, { "name": "wait_interval", "type": "text", "title": "Recent Message Grace Interval", "description": "How long to wait before attempting to collect recent messages. This option allows the Abnormal AI API to complete analysis of messages before the agent attempts to collect them. This should not be greater than the initial interval. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Abnormal AI API. Defaults to 1 hour. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "abnormal_security-ai_security_mailbox_not_analyzed" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve abnormal_security.ai_security_mailbox_not_analyzed fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "AI Security Mailbox Not Analyzed", "description": "Collecting messages submitted to AI Security Mailbox that were not analyzed via API.", "enabled": true, "ingestion_method": "API" } ], "package": "abnormal_security", "path": "ai_security_mailbox_not_analyzed" }, { "type": "logs", "dataset": "abnormal_security.audit", "title": "Audit logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Audit logs from Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "page_size", "type": "text", "title": "Page Size", "description": "Page size for the response of the Abnormal AI API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "abnormal_security-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve abnormal_security.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Audit Logs", "description": "Collecting Audit logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "abnormal_security", "path": "audit" }, { "type": "logs", "dataset": "abnormal_security.case", "title": "Case logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Case logs from Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "page_size", "type": "text", "title": "Page Size", "description": "Page size for the response of the Abnormal AI API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "abnormal_security-case" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve abnormal_security.case fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Case Logs", "description": "Collecting Case logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "abnormal_security", "path": "case" }, { "type": "logs", "dataset": "abnormal_security.threat", "title": "Threat logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Threat logs from Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "page_size", "type": "text", "title": "Page Size", "description": "Page size for the response of the Abnormal AI API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_enrichment", "type": "bool", "title": "Enable Attachments and Links enrichment", "description": "Get information about attachment and link details of a threat campaign, threat events are enriched with this information when enabled.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "abnormal_security-threat" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve abnormal_security.threat fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Threat Logs", "description": "Collecting Threat logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "abnormal_security", "path": "threat" }, { "type": "logs", "dataset": "abnormal_security.vendor_case", "title": "Vendor Case Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Vendor Case logs from Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Abnormal AI API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "page_size", "type": "text", "title": "Page Size", "description": "Page size for the response of the Abnormal AI API.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "abnormal_security-vendor_case" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve abnormal_security.case fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Vendor Case Logs", "description": "Collecting Vendor Case logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "abnormal_security", "path": "vendor_case" } ] }