{ "name": "darktrace", "title": "Darktrace", "version": "2.1.0", "release": "ga", "description": "Collect logs from Darktrace with Elastic Agent.", "type": "integration", "download": "/epr/darktrace/darktrace-2.1.0.zip", "path": "/package/darktrace/2.1.0", "icons": [ { "src": "/img/darktrace-logo.svg", "path": "/package/darktrace/2.1.0/img/darktrace-logo.svg", "title": "Darktrace Logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.2 || ^9.0.5" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "network_security" ], "signature_path": "/epr/darktrace/darktrace-2.1.0.zip.sig", "format_version": "3.3.2", "readme": "/package/darktrace/2.1.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/darktrace-screenshot.png", "path": "/package/darktrace/2.1.0/img/darktrace-screenshot.png", "title": "Darktrace Model Breach Alert Dashboard Screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/darktrace/2.1.0/LICENSE.txt", "/package/darktrace/2.1.0/changelog.yml", "/package/darktrace/2.1.0/manifest.yml", "/package/darktrace/2.1.0/validation.yml", "/package/darktrace/2.1.0/docs/README.md", "/package/darktrace/2.1.0/img/darktrace-logo.svg", "/package/darktrace/2.1.0/img/darktrace-screenshot.png", "/package/darktrace/2.1.0/kibana/tags.yml", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/manifest.yml", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/sample_event.json", "/package/darktrace/2.1.0/data_stream/model_breach_alert/manifest.yml", "/package/darktrace/2.1.0/data_stream/model_breach_alert/sample_event.json", "/package/darktrace/2.1.0/data_stream/system_status_alert/manifest.yml", "/package/darktrace/2.1.0/data_stream/system_status_alert/sample_event.json", "/package/darktrace/2.1.0/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json", "/package/darktrace/2.1.0/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json", "/package/darktrace/2.1.0/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json", "/package/darktrace/2.1.0/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json", "/package/darktrace/2.1.0/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json", "/package/darktrace/2.1.0/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/fields/agent.yml", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/fields/base-fields.yml", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/fields/fields.yml", "/package/darktrace/2.1.0/data_stream/model_breach_alert/fields/agent.yml", "/package/darktrace/2.1.0/data_stream/model_breach_alert/fields/base-fields.yml", "/package/darktrace/2.1.0/data_stream/model_breach_alert/fields/fields.yml", "/package/darktrace/2.1.0/data_stream/system_status_alert/fields/agent.yml", "/package/darktrace/2.1.0/data_stream/system_status_alert/fields/base-fields.yml", "/package/darktrace/2.1.0/data_stream/system_status_alert/fields/fields.yml", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs", "/package/darktrace/2.1.0/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml", "/package/darktrace/2.1.0/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs", "/package/darktrace/2.1.0/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs", "/package/darktrace/2.1.0/data_stream/model_breach_alert/agent/stream/udp.yml.hbs", "/package/darktrace/2.1.0/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml", "/package/darktrace/2.1.0/data_stream/system_status_alert/agent/stream/tcp.yml.hbs", "/package/darktrace/2.1.0/data_stream/system_status_alert/agent/stream/udp.yml.hbs", "/package/darktrace/2.1.0/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "darktrace", "title": "Darktrace logs", "description": "Collect logs from Darktrace.", "inputs": [ { "type": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Darktrace console URL.", "multi": false, "required": true, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "public_token", "type": "password", "title": "Public API Token", "description": "Public API Token.", "multi": false, "required": true, "show_user": false }, { "name": "private_token", "type": "password", "title": "Private API Token", "description": "Private API Token.", "multi": false, "required": true, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Darktrace logs via API", "description": "Collecting Darktrace logs via API." }, { "type": "tcp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Darktrace logs via TCP", "description": "Collecting Darktrace logs via TCP." }, { "type": "udp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" } ], "title": "Collect Darktrace logs via UDP", "description": "Collecting Darktrace logs via UDP." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "darktrace.ai_analyst_alert", "title": "Collect AI Analyst Alert logs from Darktrace", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the AI Analyst Alert logs from Darktrace. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Darktrace API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "darktrace-ai_analyst_alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "AI Analyst Alert logs", "description": "Collect AI Analyst Alert logs via API.", "enabled": true, "ingestion_method": "API" }, { "input": "tcp", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The TCP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9571 }, { "name": "tcp_options", "type": "yaml", "title": "Custom TCP Options", "description": "Specify custom configuration options for the TCP input.", "multi": false, "required": false, "show_user": false, "default": "max_message_size: 50KiB\n#max_connections: 1\n#framing: delimiter\n#line_delimiter: \"\\n\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "darktrace-ai_analyst_alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "tcp.yml.hbs", "title": "AI Analyst Alert logs", "description": "Collect AI Analyst Alert logs via TCP input.", "enabled": true, "ingestion_method": "Network Protocol" }, { "input": "udp", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The UDP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9574 }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "max_message_size: 50KiB\n#timeout: 300s\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "darktrace-ai_analyst_alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "AI Analyst Alert logs", "description": "Collect AI Analyst Alert logs via UDP input.", "enabled": true, "ingestion_method": "Network Protocol" } ], "package": "darktrace", "path": "ai_analyst_alert" }, { "type": "logs", "dataset": "darktrace.model_breach_alert", "title": "Collect Model Breach Alert logs from Darktrace", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Model Breach Alert logs from Darktrace. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Darktrace API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "darktrace-model_breach_alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Model Breach Alert logs", "description": "Collect Model Breach Alert logs via API.", "enabled": true, "ingestion_method": "API" }, { "input": "tcp", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The TCP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9572 }, { "name": "tcp_options", "type": "yaml", "title": "Custom TCP Options", "description": "Specify custom configuration options for the TCP input.", "multi": false, "required": false, "show_user": false, "default": "max_message_size: 50KiB\n#max_connections: 1\n#framing: delimiter\n#line_delimiter: \"\\n\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "darktrace-model_breach_alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "tcp.yml.hbs", "title": "Model Breach Alert logs", "description": "Collect Model Breach Alert logs via TCP input.", "enabled": true, "ingestion_method": "Network Protocol" }, { "input": "udp", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The UDP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9575 }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "max_message_size: 50KiB\n#timeout: 300s\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "darktrace-model_breach_alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "Model Breach Alert logs", "description": "Collect Model Breach Alert logs via UDP input.", "enabled": true, "ingestion_method": "Network Protocol" } ], "package": "darktrace", "path": "model_breach_alert" }, { "type": "logs", "dataset": "darktrace.system_status_alert", "title": "Collect System Status Alert logs from Darktrace", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "tcp", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The TCP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9573 }, { "name": "tcp_options", "type": "yaml", "title": "Custom TCP Options", "description": "Specify custom configuration options for the TCP input.", "multi": false, "required": false, "show_user": false, "default": "max_message_size: 50KiB\n#max_connections: 1\n#framing: delimiter\n#line_delimiter: \"\\n\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "darktrace-system_status_alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "tcp.yml.hbs", "title": "System Status Alert logs", "description": "Collect System Status Alert logs via TCP input.", "enabled": true, "ingestion_method": "Network Protocol" }, { "input": "udp", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The UDP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9576 }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "max_message_size: 50KiB\n#timeout: 300s\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "darktrace-system_status_alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "System Status Alert logs", "description": "Collect System Status Alert logs via UDP input.", "enabled": true, "ingestion_method": "Network Protocol" } ], "package": "darktrace", "path": "system_status_alert" } ] }