{ "name": "sublime_security", "title": "Sublime Security", "version": "1.11.3", "release": "ga", "description": "Collect logs from Sublime Security with Elastic Agent.", "type": "integration", "download": "/epr/sublime_security/sublime_security-1.11.3.zip", "path": "/package/sublime_security/1.11.3", "icons": [ { "src": "/img/sublime_security.svg", "path": "/package/sublime_security/1.11.3/img/sublime_security.svg", "title": "Sublime Security logo", "size": "32x32", "type": "image/svg+xml" }, { "src": "/img/sublime_security-dark.svg", "path": "/package/sublime_security/1.11.3/img/sublime_security-dark.svg", "title": "Sublime Security dark logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.18.0 || ^9.0.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "email_security" ], "signature_path": "/epr/sublime_security/sublime_security-1.11.3.zip.sig", "format_version": "3.3.2", "readme": "/package/sublime_security/1.11.3/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/sublime_security-audit.png", "path": "/package/sublime_security/1.11.3/img/sublime_security-audit.png", "title": "sublime security audit dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/sublime_security-email_message.png", "path": "/package/sublime_security/1.11.3/img/sublime_security-email_message.png", "title": "sublime security email message dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/sublime_security-message_event.png", "path": "/package/sublime_security/1.11.3/img/sublime_security-message_event.png", "title": "sublime security message event dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/sublime_security/1.11.3/LICENSE.txt", "/package/sublime_security/1.11.3/changelog.yml", "/package/sublime_security/1.11.3/manifest.yml", "/package/sublime_security/1.11.3/validation.yml", "/package/sublime_security/1.11.3/docs/README.md", "/package/sublime_security/1.11.3/img/sublime_security-audit.png", "/package/sublime_security/1.11.3/img/sublime_security-dark.svg", "/package/sublime_security/1.11.3/img/sublime_security-email_message.png", "/package/sublime_security/1.11.3/img/sublime_security-message_event.png", "/package/sublime_security/1.11.3/img/sublime_security.svg", "/package/sublime_security/1.11.3/kibana/tags.yml", "/package/sublime_security/1.11.3/data_stream/audit/manifest.yml", "/package/sublime_security/1.11.3/data_stream/audit/sample_event.json", "/package/sublime_security/1.11.3/data_stream/email_message/manifest.yml", "/package/sublime_security/1.11.3/data_stream/email_message/sample_event.json", "/package/sublime_security/1.11.3/data_stream/message_event/manifest.yml", "/package/sublime_security/1.11.3/data_stream/message_event/sample_event.json", "/package/sublime_security/1.11.3/kibana/dashboard/sublime_security-779aade2-fbb2-425d-8647-79c2bdf2d6e0.json", "/package/sublime_security/1.11.3/kibana/dashboard/sublime_security-7b4299fc-2465-46c6-bc55-dba692bb2745.json", "/package/sublime_security/1.11.3/kibana/dashboard/sublime_security-f4f4e3ca-1993-4a55-9d87-a7029ee0f869.json", "/package/sublime_security/1.11.3/kibana/search/sublime_security-c1e2d194-7f19-46fe-bcdf-d6886edf9d3d.json", "/package/sublime_security/1.11.3/kibana/search/sublime_security-ce2a4b74-76ca-4cdd-b3da-73530ee043c4.json", "/package/sublime_security/1.11.3/kibana/search/sublime_security-eb590f03-79df-4189-aa74-3b5bfe20e8ca.json", "/package/sublime_security/1.11.3/data_stream/audit/fields/base-fields.yml", "/package/sublime_security/1.11.3/data_stream/audit/fields/beats.yml", "/package/sublime_security/1.11.3/data_stream/audit/fields/fields.yml", "/package/sublime_security/1.11.3/data_stream/email_message/fields/base-fields.yml", "/package/sublime_security/1.11.3/data_stream/email_message/fields/beats.yml", "/package/sublime_security/1.11.3/data_stream/email_message/fields/fields.yml", "/package/sublime_security/1.11.3/data_stream/message_event/fields/base-fields.yml", "/package/sublime_security/1.11.3/data_stream/message_event/fields/beats.yml", "/package/sublime_security/1.11.3/data_stream/message_event/fields/fields.yml", "/package/sublime_security/1.11.3/data_stream/audit/agent/stream/aws-s3.yml.hbs", "/package/sublime_security/1.11.3/data_stream/audit/agent/stream/cel.yml.hbs", "/package/sublime_security/1.11.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/sublime_security/1.11.3/data_stream/email_message/agent/stream/aws-s3.yml.hbs", "/package/sublime_security/1.11.3/data_stream/email_message/elasticsearch/ingest_pipeline/default.yml", "/package/sublime_security/1.11.3/data_stream/message_event/agent/stream/aws-s3.yml.hbs", "/package/sublime_security/1.11.3/data_stream/message_event/agent/stream/cel.yml.hbs", "/package/sublime_security/1.11.3/data_stream/message_event/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "sublime_security", "title": "Sublime Security logs", "description": "Collect Sublime Security logs.", "inputs": [ { "type": "cel", "vars": [ { "name": "url", "type": "url", "title": "URL", "description": "Base URL of the Sublime Security API. Depending on type of deployment, URL may differ.", "multi": false, "required": true, "show_user": false, "default": "https://api.platform.sublimesecurity.com" }, { "name": "api_key", "type": "password", "title": "API Key", "description": "API Key of the Sublime Security API.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Sublime Security logs via API", "description": "Collecting Sublime Security logs via API." }, { "type": "aws-s3", "vars": [ { "name": "collect_s3_logs", "type": "bool", "title": "Collect logs via S3 Bucket", "description": "To collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "access_key_id", "type": "password", "title": "Access Key ID", "description": "First part of access key. This parameter along with the secret_access_key parameter is required if we are not providing shared_credential_file.", "multi": false, "required": false, "show_user": true }, { "name": "secret_access_key", "type": "password", "title": "Secret Access Key", "description": "Second part of access key. This parameter along with the access_key_id parameter is required if we are not providing shared_credential_file.", "multi": false, "required": false, "show_user": true }, { "name": "region", "type": "text", "title": "[SQS] Region", "description": "The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value.", "multi": false, "required": false, "show_user": true }, { "name": "session_token", "type": "password", "title": "Session Token", "description": "Required when using temporary security credentials.", "multi": false, "required": false, "show_user": true }, { "name": "shared_credential_file", "type": "text", "title": "Shared Credential File", "description": "Directory of the shared credentials file. This parameter is required if we are not providing value for the parameters - secret_access_key and access_key_id.", "multi": false, "required": false, "show_user": false }, { "name": "credential_profile_name", "type": "text", "title": "Credential Profile Name", "description": "Profile name in shared credentials file.", "multi": false, "required": false, "show_user": false }, { "name": "role_arn", "type": "text", "title": "Role ARN", "description": "AWS IAM Role to assume.", "multi": false, "required": false, "show_user": false }, { "name": "default_region", "type": "text", "title": "Default AWS Region", "description": "Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.", "multi": false, "required": false, "show_user": false, "default": "" }, { "name": "endpoint", "type": "text", "title": "Endpoint", "description": "URL of the entry point for an AWS web service.", "multi": false, "required": false, "show_user": false }, { "name": "fips_enabled", "type": "bool", "title": "FIPS Enabled", "description": "Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Sublime Security logs via AWS S3 or AWS SQS", "description": "Collecting logs from Sublime Security via AWS S3 or AWS SQS." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "sublime_security.audit", "title": "Sublime Security Audit logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Sublime Security API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "page_size", "type": "integer", "title": "Page Size", "description": "Page size for the response of the Sublime Security API. Note: The maximum limit is 500.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "sublime_security-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve sublime_security.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Sublime Security Audit logs", "description": "Collecting Sublime Security Audit logs via API.", "enabled": false, "ingestion_method": "API" }, { "input": "aws-s3", "vars": [ { "name": "bucket_arn", "type": "text", "title": "[S3] Bucket ARN", "description": "ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set an Access Point ARN. In case both configurations are added, this one takes precedence.", "multi": false, "required": false, "show_user": true }, { "name": "access_point_arn", "type": "text", "title": "[S3] Access Point ARN", "description": "ARN of the AWS S3 Access Point that will be polled for list operation. Mandatory if the \"Collect logs via S3 Bucket\" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set a Bucket ARN.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Listing of the S3 bucket will be polled according to the time interval defined by bucket_list_interval config. Default value is 120 secs. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "number_of_workers", "type": "integer", "title": "[S3] Number of Workers", "description": "Number of workers that will process the S3 objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "queue_url", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS.", "multi": false, "required": false, "show_user": true }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "max_number_of_messages", "type": "integer", "title": "[SQS] Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global content_type and expand_event_list_from_field values are ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that do not match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false }, { "name": "external_id", "type": "text", "title": "External ID", "description": "External ID to use when assuming a role in another account.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "sublime_security-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve sublime_security.audit fields that were mapped to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "aws-s3.yml.hbs", "title": "Sublime Security Audit logs via AWS S3 or SQS", "description": "Collecting Sublime Security Audit logs via AWS S3 or SQS input.", "enabled": false, "ingestion_method": "AWS S3" } ], "package": "sublime_security", "path": "audit" }, { "type": "logs", "dataset": "sublime_security.email_message", "title": "Sublime Security Email Message logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "aws-s3", "vars": [ { "name": "bucket_arn", "type": "text", "title": "[S3] Bucket ARN", "description": "ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set an Access Point ARN. In case both configurations are added, this one takes precedence.", "multi": false, "required": false, "show_user": true }, { "name": "access_point_arn", "type": "text", "title": "[S3] Access Point ARN", "description": "ARN of the AWS S3 Access Point that will be polled for list operation. Mandatory if the \"Collect logs via S3 Bucket\" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set a Bucket ARN.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Listing of the S3 bucket will be polled according to the time interval defined by bucket_list_interval config. Default value is 120 secs. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "number_of_workers", "type": "integer", "title": "[S3] Number of Workers", "description": "Number of workers that will process the S3 objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "start_timestamp", "type": "text", "title": "[S3] Start Timestamp", "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, \"2020-10-10T10:30:00Z\" (UTC) or \"2020-10-10T10:30:00Z+02:30\" (with zone offset).", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "[S3] Ignore Older Timespan", "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.", "multi": false, "required": false, "show_user": false }, { "name": "queue_url", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS.", "multi": false, "required": false, "show_user": true }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "max_number_of_messages", "type": "integer", "title": "[SQS] Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global content_type and expand_event_list_from_field values are ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that do not match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false }, { "name": "external_id", "type": "text", "title": "External ID", "description": "External ID to use when assuming a role in another account.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "sublime_security-email_message" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve sublime_security.email_message fields that were mapped to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "aws-s3.yml.hbs", "title": "Sublime Security Email Message logs via AWS S3 or SQS", "description": "Collecting Sublime Security Email Message logs via AWS S3 or SQS input.", "enabled": false, "ingestion_method": "AWS S3" } ], "package": "sublime_security", "path": "email_message" }, { "type": "logs", "dataset": "sublime_security.message_event", "title": "Sublime Security Message Event logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Message Event logs from Sublime Security API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Sublime Security API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "page_size", "type": "integer", "title": "Page Size", "description": "Page size for the response of the Sublime Security API.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "sublime_security-message_event" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve sublime_security.message_event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Sublime Security Message Event logs", "description": "Collecting Sublime Security Message Event logs via API.", "enabled": false, "ingestion_method": "API" }, { "input": "aws-s3", "vars": [ { "name": "bucket_arn", "type": "text", "title": "[S3] Bucket ARN", "description": "ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set an Access Point ARN. In case both configurations are added, this one takes precedence.", "multi": false, "required": false, "show_user": true }, { "name": "access_point_arn", "type": "text", "title": "[S3] Access Point ARN", "description": "ARN of the AWS S3 Access Point that will be polled for list operation. Mandatory if the \"Collect logs via S3 Bucket\" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set a Bucket ARN.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Listing of the S3 bucket will be polled according to the time interval defined by bucket_list_interval config. Default value is 120 secs. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "number_of_workers", "type": "integer", "title": "[S3] Number of Workers", "description": "Number of workers that will process the S3 objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "start_timestamp", "type": "text", "title": "[S3] Start Timestamp", "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, \"2020-10-10T10:30:00Z\" (UTC) or \"2020-10-10T10:30:00Z+02:30\" (with zone offset).", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "[S3] Ignore Older Timespan", "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.", "multi": false, "required": false, "show_user": false }, { "name": "queue_url", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS.", "multi": false, "required": false, "show_user": true }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "max_number_of_messages", "type": "integer", "title": "[SQS] Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global content_type and expand_event_list_from_field values are ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that do not match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false }, { "name": "external_id", "type": "text", "title": "External ID", "description": "External ID to use when assuming a role in another account.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "sublime_security-message_event" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve sublime_security.message_event fields that were mapped to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "aws-s3.yml.hbs", "title": "Sublime Security Message Event logs via AWS S3 or SQS", "description": "Collecting Sublime Security Message Event logs via AWS S3 or SQS input.", "enabled": false, "ingestion_method": "AWS S3" } ], "package": "sublime_security", "path": "message_event" } ] }