{ "name": "ti_google_threat_intelligence", "title": "Google Threat Intelligence", "version": "0.12.0", "release": "beta", "description": "Collect Threat Intelligence Events from Google Threat Intelligence using Elastic Agent, and perform enrichment on Elasticsearch by correlating Indicators of Compromise (IOCs).", "type": "integration", "download": "/epr/ti_google_threat_intelligence/ti_google_threat_intelligence-0.12.0.zip", "path": "/package/ti_google_threat_intelligence/0.12.0", "icons": [ { "src": "/img/ti_google_threat_intelligence-logo.png", "path": "/package/ti_google_threat_intelligence/0.12.0/img/ti_google_threat_intelligence-logo.png", "title": "Google Threat Intelligence Logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.16.0 || ^9.0.0" }, "elastic": { "subscription": "basic", "capabilities": [ "security" ] } }, "owner": { "type": "partner", "github": "elastic/security-service-integrations" }, "categories": [ "security", "threat_intel" ], "signature_path": "/epr/ti_google_threat_intelligence/ti_google_threat_intelligence-0.12.0.zip.sig", "format_version": "3.3.2", "readme": "/package/ti_google_threat_intelligence/0.12.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/ioc_stream_overview_dashboard.png", "path": "/package/ti_google_threat_intelligence/0.12.0/img/ioc_stream_overview_dashboard.png", "title": "IOC Stream Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/ioc_stream_threat_intelligence_dashboard.png", "path": "/package/ti_google_threat_intelligence/0.12.0/img/ioc_stream_threat_intelligence_dashboard.png", "title": "IOC Stream Threat Intelligence Dashboard" }, { "src": "/img/adversary_intelligence_dashboard.png", "path": "/package/ti_google_threat_intelligence/0.12.0/img/adversary_intelligence_dashboard.png", "title": "Adversary Intelligence Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/threat_feed_overview_dashboard.png", "path": "/package/ti_google_threat_intelligence/0.12.0/img/threat_feed_overview_dashboard.png", "title": "Threat Feed Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/threat_intelligence_dashboard.png", "path": "/package/ti_google_threat_intelligence/0.12.0/img/threat_intelligence_dashboard.png", "title": "Threat Intelligence Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/ti_google_threat_intelligence/0.12.0/LICENSE.txt", "/package/ti_google_threat_intelligence/0.12.0/changelog.yml", "/package/ti_google_threat_intelligence/0.12.0/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/validation.yml", "/package/ti_google_threat_intelligence/0.12.0/docs/README.md", "/package/ti_google_threat_intelligence/0.12.0/img/adversary_intelligence_dashboard.png", "/package/ti_google_threat_intelligence/0.12.0/img/ioc_stream_overview_dashboard.png", "/package/ti_google_threat_intelligence/0.12.0/img/ioc_stream_threat_intelligence_dashboard.png", "/package/ti_google_threat_intelligence/0.12.0/img/threat_feed_overview_dashboard.png", "/package/ti_google_threat_intelligence/0.12.0/img/threat_intelligence_dashboard.png", "/package/ti_google_threat_intelligence/0.12.0/img/ti_google_threat_intelligence-logo.png", "/package/ti_google_threat_intelligence/0.12.0/kibana/tags.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/cryptominer/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/cryptominer/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/first_stage_delivery_vectors/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/first_stage_delivery_vectors/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/infostealer/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/infostealer/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ioc_stream/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ioc_stream/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/iot/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/iot/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/linux/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/linux/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malicious_network_infrastructure/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malicious_network_infrastructure/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malware/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malware/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/mobile/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/mobile/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/osx/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/osx/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/phishing/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/phishing/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ransomware/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ransomware/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/threat_actor/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/threat_actor/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/trending/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/trending/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/vulnerability_weaponization/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/vulnerability_weaponization/sample_event.json", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-correlation_detection_rule-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-correlation_detection_rule_ioc_st-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_domain_ioc-transform-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_domain_ioc_st-transform-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_file_ioc-transform-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_file_ioc_st-transform-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_ip_ioc-transform-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_ip_ioc_st-transform-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_url_ioc-transform-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_url_ioc_st-transform-pipeline.yml", "/package/ti_google_threat_intelligence/0.12.0/kibana/dashboard/ti_google_threat_intelligence-0b0fb6b4-d250-4e31-a56a-bb872e4c7c4a.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/dashboard/ti_google_threat_intelligence-55f5f53b-343e-4095-b61f-1089a5273d84.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/dashboard/ti_google_threat_intelligence-95187e5c-b4a2-45ad-b6a4-d6ce68e1f43e.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/dashboard/ti_google_threat_intelligence-9e8de699-a623-4a1b-9f63-7d641116f531.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/dashboard/ti_google_threat_intelligence-fb3daf8e-b45b-4fd9-bf94-dbaf96fcfb67.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-12baa0f0-6845-43a3-bfe6-a7959dd200d4.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-1539bed1-9500-4751-b492-07bff04c887b.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-1660f3a3-75ff-4950-a1e1-8dc3de4e7c39.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-38af8948-a1f0-450e-9ebc-8e35544e8c16.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-4907ee04-d1f7-4d33-842e-ecd1b8409f23.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-64fb5964-6114-490d-9f0b-2d3684f8cc8d.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-70860d2b-3f3b-4185-b524-f0afdb0d2cf6.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-7a6faa45-29fd-449f-a05d-7d00858f614c.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-7b0a91d7-7d7b-4e23-aff7-dd97e820dae2.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-7f91c071-f4d8-47af-bad9-e07e9ad4892c.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-831f6124-6aaf-41dd-9448-8b09423548ec.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-8470cc18-e5e2-4a93-ae98-8ef0f93fcc07.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-a051cab4-06f3-4b8c-b7c3-9bb1fbc90cab.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-aeff19b8-15d8-49eb-aae1-0439e0f014cd.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/search/ti_google_threat_intelligence-e813ee30-c48e-4607-be05-8f2abe2f8bd1.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/security_rule/05b83871-a7af-494f-b1cf-be4b20ac4a86_1.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/security_rule/1e6b8753-550a-401e-bffd-06f085f3e658_1.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/security_rule/36b2cd30-34ae-46c4-993e-a370ea059692_1.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/security_rule/378bd5c1-04ab-4048-a7ba-d25c3e1e3585_1.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/security_rule/5bd95a46-10e3-4bb9-9c0e-4d7493e359ac_1.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/security_rule/677c4a0c-d433-48c4-b465-4bab3d0b1755_1.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/security_rule/9b852169-e461-453a-b42f-1cf9ca6594bc_1.json", "/package/ti_google_threat_intelligence/0.12.0/kibana/security_rule/b31e8055-8985-4a06-a7e0-4c1b650ade87_1.json", "/package/ti_google_threat_intelligence/0.12.0/data_stream/cryptominer/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/cryptominer/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/cryptominer/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/cryptominer/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/first_stage_delivery_vectors/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/first_stage_delivery_vectors/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/first_stage_delivery_vectors/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/first_stage_delivery_vectors/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/infostealer/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/infostealer/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/infostealer/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/infostealer/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ioc_stream/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ioc_stream/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ioc_stream/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ioc_stream/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/iot/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/iot/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/iot/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/iot/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/linux/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/linux/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/linux/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/linux/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malicious_network_infrastructure/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malicious_network_infrastructure/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malicious_network_infrastructure/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malicious_network_infrastructure/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malware/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malware/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malware/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malware/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/mobile/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/mobile/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/mobile/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/mobile/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/osx/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/osx/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/osx/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/osx/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/phishing/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/phishing/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/phishing/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/phishing/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ransomware/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ransomware/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ransomware/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ransomware/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/threat_actor/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/threat_actor/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/threat_actor/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/threat_actor/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/trending/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/trending/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/trending/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/trending/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/vulnerability_weaponization/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/vulnerability_weaponization/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/vulnerability_weaponization/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/vulnerability_weaponization/fields/is-transform-source-true.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc_st/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc_st/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc_st/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc_st/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc_st/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc_st/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule_ioc_st/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule_ioc_st/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc_st/manifest.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc_st/transform.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/cryptominer/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/cryptominer/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/first_stage_delivery_vectors/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/first_stage_delivery_vectors/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/infostealer/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/infostealer/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ioc_stream/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/iot/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/iot/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/linux/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/linux/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malicious_network_infrastructure/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malicious_network_infrastructure/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malware/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/malware/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/mobile/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/mobile/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/osx/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/osx/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/phishing/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/phishing/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ransomware/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/ransomware/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/threat_actor/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/threat_actor/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/trending/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/trending/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/data_stream/vulnerability_weaponization/agent/stream/cel.yml.hbs", "/package/ti_google_threat_intelligence/0.12.0/data_stream/vulnerability_weaponization/elasticsearch/ingest_pipeline/default.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc/fields/is-transform-source-false.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc_st/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc_st/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc_st/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc_st/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/domain_ioc_st/fields/is-transform-source-false.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc/fields/is-transform-source-false.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc_st/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc_st/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc_st/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc_st/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/file_ioc_st/fields/is-transform-source-false.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc/fields/is-transform-source-false.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc_st/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc_st/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc_st/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc_st/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/ip_ioc_st/fields/is-transform-source-false.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule_ioc_st/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule_ioc_st/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule_ioc_st/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/rule_ioc_st/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc/fields/is-transform-source-false.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc_st/fields/base-fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc_st/fields/beats.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc_st/fields/ecs.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc_st/fields/fields.yml", "/package/ti_google_threat_intelligence/0.12.0/elasticsearch/transform/url_ioc_st/fields/is-transform-source-false.yml" ], "policy_templates": [ { "name": "ti_google_threat_intelligence", "title": "Google Threat Intelligence events", "description": "Collect Google Threat Intelligence events.", "inputs": [ { "type": "cel", "vars": [ { "name": "url", "type": "url", "title": "URL", "description": "By default, the URL is set to `https://www.virustotal.com`.", "multi": false, "required": true, "show_user": false, "default": "https://www.virustotal.com" }, { "name": "access_token", "type": "password", "title": "Access Token", "description": "Access Token used to authenticate the requests.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "i.e. certificate_authorities, supported_protocols, verification_mode etc.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Google Threat Intelligence events via API", "description": "Collecting Google Threat Intelligence events via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "ti_google_threat_intelligence.cryptominer", "title": "Cryptominer Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-cryptominer" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Cryptominer Events", "description": "Collecting Cryptominer events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "cryptominer" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.first_stage_delivery_vectors", "title": "First Stage Delivery Vectors Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-first_stage_delivery_vectors" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "First Stage Delivery Vectors Events", "description": "Collecting First Stage Delivery Vectors events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "first_stage_delivery_vectors" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.infostealer", "title": "Infostealer Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-infostealer" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Infostealer Events", "description": "Collecting Infostealer events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "infostealer" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.ioc_stream", "title": "IOC Stream Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull IOC Stream events from the Google Threat Intelligence API. Supported units are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive requests to the Google Threat Intelligence API. Supported units are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-ioc_stream" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "IOC Stream Events", "description": "Collecting IOC Stream events via API.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "ioc_stream" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.iot", "title": "Internet of Things Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-iot" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Internet of Things Events", "description": "Collecting Internet of Things events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "iot" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.linux", "title": "Linux Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-linux" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Linux Events", "description": "Collecting Linux events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "linux" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.malicious_network_infrastructure", "title": "Malicious Network Infrastructure Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-malicious_network_infrastructure" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Malicious Network Infrastructure Events", "description": "Collecting Malicious Network Infrastructure events via API.", "enabled": true, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "malicious_network_infrastructure" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.malware", "title": "Malware Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-malware" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Malware Events", "description": "Collecting Malware events via API. Requires Enterprise or Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "malware" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.mobile", "title": "Mobile Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-mobile" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Mobile Events", "description": "Collecting Mobile events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "mobile" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.osx", "title": "OS X Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-osx" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "OS X Events", "description": "Collecting OS X events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "osx" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.phishing", "title": "Phishing Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-phishing" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Phishing Events", "description": "Collecting Phishing events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "phishing" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.ransomware", "title": "Ransomware Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-ransomware" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Ransomware Events", "description": "Collecting Ransomware events via API.", "enabled": true, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "ransomware" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.threat_actor", "title": "Threat Actor Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-threat_actor" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Threat Actor Events", "description": "Collecting Threat Actor events via API. Requires Enterprise or Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "threat_actor" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.trending", "title": "Daily Top trending Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-trending" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Daily Top trending Events", "description": "Collecting Daily Top trending events via API. Requires Enterprise or Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "trending" }, { "type": "logs", "dataset": "ti_google_threat_intelligence.vulnerability_weaponization", "title": "Vulnerability Weaponization Events", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull events from the Google Threat Intelligence API. Requests newer than the availability delay are clamped to the latest available package. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "2h" }, { "name": "availability_delay", "type": "text", "title": "Availability Delay", "description": "Time between a threat list package hour and when Google makes that package available. Supported units are h, m and s.", "multi": false, "required": true, "show_user": false, "default": "2h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive scheduled requests to the Google Threat Intelligence API. The CEL program only requests threat list packages after the configured availability delay, so a 1h interval safely checks each hourly package once it is available. Supported units are h.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "query", "type": "text", "title": "Query [Query Params]", "description": "Query to filter the results.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_threat_intelligence-vulnerability_weaponization" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Vulnerability Weaponization Events", "description": "Collecting Vulnerability Weaponization events via API. Requires Enterprise Plus subscription.", "enabled": false, "ingestion_method": "API" } ], "package": "ti_google_threat_intelligence", "path": "vulnerability_weaponization" } ] }