diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 618d324c2f3..e745c7adcb4 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -93,6 +93,7 @@
/packages/aws_vpcflow_otel @elastic/obs-infraobs-integrations
/packages/awsfargate @elastic/obs-infraobs-integrations
/packages/awsfirehose @elastic/obs-ds-hosted-services
+/packages/axonius @elastic/security-service-integrations
/packages/azure @elastic/obs-infraobs-integrations @elastic/obs-ds-hosted-services @elastic/security-service-integrations
/packages/azure/data_stream/activitylogs @elastic/obs-infraobs-integrations
/packages/azure/data_stream/application_gateway @elastic/security-service-integrations
diff --git a/packages/axonius/_dev/build/build.yml b/packages/axonius/_dev/build/build.yml
new file mode 100644
index 00000000000..b2596b96490
--- /dev/null
+++ b/packages/axonius/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v9.2.0
diff --git a/packages/axonius/_dev/build/docs/README.md b/packages/axonius/_dev/build/docs/README.md
new file mode 100644
index 00000000000..c3b0a29f13d
--- /dev/null
+++ b/packages/axonius/_dev/build/docs/README.md
@@ -0,0 +1,156 @@
+# Axonius Integration for Elastic
+
+## Overview
+
+[Axonius](https://www.axonius.com/) is a cybersecurity asset management platform that automatically collects data from hundreds of IT and security tools through adapters, merges that information, and builds a unified inventory of all assets including devices, users, SaaS apps, cloud instances, and more. By correlating data from multiple systems, Axonius helps organizations identify visibility gaps, missing security controls, risky configurations, and compliance issues. It lets you create powerful queries to answer any security or IT question and automate actions such as sending alerts, creating tickets, or enforcing policies.
+
+This integration for Elastic allows you to collect assets and security events data using the Axonius API, then visualize the data in Kibana.
+
+### Compatibility
+The Axonius integration is compatible with product version **7.0**.
+
+### How it works
+This integration periodically queries the Axonius API to retrieve logs.
+
+## What data does this integration collect?
+This integration collects log messages of the following type:
+
+- `Application`: Collect details of all application assets including:
+ - software (endpoint: `/api/v2/software`)
+ - saas_applications (endpoint: `/api/v2/saas_applications`)
+ - application_settings (endpoint: `/api/v2/application_settings`)
+ - licenses (endpoint: `/api/v2/licenses`)
+ - expenses (endpoint: `/api/v2/expenses`)
+ - admin_managed_extensions (endpoint: `/api/v2/admin_managed_extensions`)
+ - user_initiated_extensions (endpoint: `/api/v2/user_initiated_extensions`)
+ - application_addons (endpoint: `/api/v2/application_addons`)
+ - admin_managed_extension_instances (endpoint: `/api/v2/admin_managed_extension_instances`)
+ - user_initiated_extension_instances (endpoint: `/api/v2/user_initiated_extension_instances`)
+ - application_addon_instances (endpoint: `/api/v2/application_addon_instances`)
+ - application_keys (endpoint: `/api/v2/application_keys`)
+ - audit_activities (endpoint: `/api/v2/audit_activities`)
+ - business_applications (endpoint: `/api/v2/business_applications`)
+ - urls (endpoint: `/api/v2/urls`)
+ - application_services (endpoint: `/api/v2/application_services`)
+ - application_resources (endpoint: `/api/v2/application_resources`)
+ - secrets (endpoint: `/api/v2/secrets`)
+
+### Supported use cases
+
+Integrating the Axonius Application Datastream with Elastic SIEM provides clear visibility into application related activity and usage across the environment. This datastream helps analysts understand how business applications and installed software are being used, where activity is occurring, and which applications are most active or impactful.
+
+It offers consolidated views of business applications, installed software, sources, users, and domains, enabling teams to quickly validate application activity, assess risk especially for SaaS applications and understand how events are distributed across asset types and actions. Time based trends and activity status insights help identify spikes, dormant applications, or unusual behavior patterns.
+
+These insights enable organizations to monitor application usage, detect risky or unauthorized application activity, maintain accurate application inventories, and support investigations where application related context is critical.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From Axonius
+
+To collect data through the Axonius APIs, you need to provide the **URL**, **API Key** and **API Secret**. Authentication is handled using the **API Key** and **API Secret**, which serves as the required credential.
+
+#### Retrieve URL, API Token and API Secret:
+
+1. Log in to the **Axonius** instance.
+2. Your instance URL is your Base **URL**.
+3. Navigate to **User Settings > API Key**.
+4. Generate an **API Key**.
+5. If you do not see the API Key tab in your user settings, follow these steps:
+ 1. Go to **System Settings** > **User and Role Management** > **Service Accounts**.
+ 2. Create a Service Account, and then generate an **API Key**.
+6. Copy both values including **API Key and Secret Key** and store them securely for use in the Integration configuration.
+
+**Note:**
+To generate or reset an API key, your role must be **Admin**, and you must have **API Access** permissions, which include **API Access Enabled** and **Reset API Key**.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Agentless deployment
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it.
+
+For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html)
+
+### Configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Axonius**.
+3. Select the **Axonius** integration from the search results.
+4. Select **Add Axonius** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+ * To **Collect logs from Axonius API**, you'll need to:
+
+ - Configure **URL**, **API Key** and **API Secret**.
+ - Adjust the integration configuration parameters if required, including the Interval, HTTP Client Timeout etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Axonius**, and verify the dashboard information is populated.
+
+#### Transforms healthy
+
+1. In the top search bar in Kibana, search for **Transforms**.
+2. Select the **Data / Transforms** from the search results.
+3. In the search bar, type **Axonius**.
+4. All transforms from the search results should indicate **Healthy** under the **Health** column.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+
+### Inputs used
+{{/* All inputs used by this package will be automatically listed here. */}}
+{{ inputDocs }}
+
+### API usage
+
+These APIs are used with this integration:
+
+* Application:
+ * software (endpoint: `/api/v2/software`)
+ * saas_applications (endpoint: `/api/v2/saas_applications`)
+ * application_settings (endpoint: `/api/v2/application_settings`)
+ * licenses (endpoint: `/api/v2/licenses`)
+ * expenses (endpoint: `/api/v2/expenses`)
+ * admin_managed_extensions (endpoint: `/api/v2/admin_managed_extensions`)
+ * user_initiated_extensions (endpoint: `/api/v2/user_initiated_extensions`)
+ * application_addons (endpoint: `/api/v2/application_addons`)
+ * admin_managed_extension_instances (endpoint: `/api/v2/admin_managed_extension_instances`)
+ * user_initiated_extension_instances (endpoint: `/api/v2/user_initiated_extension_instances`)
+ * application_addon_instances (endpoint: `/api/v2/application_addon_instances`)
+ * application_keys (endpoint: `/api/v2/application_keys`)
+ * audit_activities (endpoint: `/api/v2/audit_activities`)
+ * business_applications (endpoint: `/api/v2/business_applications`)
+ * urls (endpoint: `/api/v2/urls`)
+ * application_services (endpoint: `/api/v2/application_services`)
+ * application_resources (endpoint: `/api/v2/application_resources`)
+ * secrets (endpoint: `/api/v2/secrets`)
+
+#### ILM Policy
+
+To facilitate application data, source data stream-backed indices `.ds-logs-axonius.application-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-axonius.application-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date.
\ No newline at end of file
diff --git a/packages/axonius/_dev/deploy/docker/docker-compose.yml b/packages/axonius/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..2c44356c631
--- /dev/null
+++ b/packages/axonius/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,15 @@
+version: '3.8'
+services:
+ axonius:
+ image: docker.elastic.co/observability/stream:v0.20.0
+ hostname: axonius
+ ports:
+ - 8090
+ volumes:
+ - ./files:/files:ro
+ environment:
+ PORT: '8090'
+ command:
+ - http-server
+ - --addr=:8090
+ - --config=/files/config.yml
diff --git a/packages/axonius/_dev/deploy/docker/files/config.yml b/packages/axonius/_dev/deploy/docker/files/config.yml
new file mode 100644
index 00000000000..5af8ef80dd2
--- /dev/null
+++ b/packages/axonius/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,938 @@
+rules:
+ - path: /api/v2/assets/business_applications
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"next_page":"xyz".*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [
+ {
+ "internal_axon_id": "fa36eeaca80149f5f261fc18240de657",
+ "adapters": [
+ "service_now_adapter"
+ ],
+ "adapter_list_length": 1,
+ "specific_data": [
+ {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:03:13 GMT",
+ "adapter_categories": [
+ "CMDB",
+ "ITAM/ITSM",
+ "Ticketing",
+ "SaaS Management"
+ ],
+ "client_used": "67fd0999fe1c8e812a176ba2",
+ "data": {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:03:13 GMT",
+ "application_and_account_name": "servicenow/servicenow-dev",
+ "application_type": "SaaS",
+ "business_criticality": "Medium",
+ "business_owner": "Dorthy Barth",
+ "devices_count": 0,
+ "devices_count_link": [
+ {
+ "bracketWeight": 0,
+ "compOp": "equals",
+ "field": "adapters_data.service_now_adapter.cmdb_business_applications.sys_id",
+ "leftBracket": 0,
+ "logicOp": "",
+ "not": false,
+ "rightBracket": 0,
+ "value": "98369014-c3f8-407e-8158-59357719bbb0"
+ }
+ ],
+ "fetch_time": "Wed, 17 Dec 2025 00:02:56 GMT",
+ "first_fetch_time": "Tue, 16 Dec 2025 00:02:49 GMT",
+ "from_last_fetch": true,
+ "id": "6fb8c6bfd6ebe93798d5",
+ "id_raw": "98369014-c3f8-407e-8158-59357719bbb0",
+ "install_status": "In Production",
+ "is_fetched_from_adapter": true,
+ "it_application_owner": "Patrick Dawson",
+ "last_fetch_connection_id": "67fd0999fe1c8e812a176ba2",
+ "last_fetch_connection_label": "servicenow-dev",
+ "managed_by": "Jeannette Hamilton",
+ "name": "Twilio",
+ "not_fetched_count": 0,
+ "number": "APM0019397",
+ "operational_status": "In Production",
+ "remote_id": "4fba07bD51EF670CC350",
+ "short_description": "Twilio supports SMS service - Supports application registration through SMS - enables OTP-based SMS transactions",
+ "source_application": "ServiceNow",
+ "tenant_number": [
+ "1"
+ ],
+ "type": "BusinessApplications",
+ "z_table_hierarchy": [
+ "cmdb_ci_business_app",
+ "cmdb_ci",
+ "cmdb"
+ ]
+ },
+ "initial_plugin_unique_name": "service_now_adapter_0",
+ "plugin_name": "service_now_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "service_now_adapter_0",
+ "quick_id": "service_now_adapter_0!6fb8c6bfd6ebe93798d5",
+ "type": "entitydata"
+ }
+ ]
+ }
+ ],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 09:17:32 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 2,
+ "size": 1,
+ "totalPages": 2,
+ "totalResources": 3
+ },
+ "next_page": "abc",
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/business_applications
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [
+ {
+ "internal_axon_id": "045df59cc8b3d0aa91d5be2b8c63dba3",
+ "adapters": [
+ "service_now_adapter"
+ ],
+ "adapter_list_length": 1,
+ "specific_data": [
+ {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:03:13 GMT",
+ "adapter_categories": [
+ "CMDB",
+ "ITAM/ITSM",
+ "Ticketing",
+ "SaaS Management"
+ ],
+ "client_used": "67fd0999fe1c8e812a176ba2",
+ "data": {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:03:13 GMT",
+ "application_and_account_name": "servicenow/servicenow-dev",
+ "application_type": "SaaS",
+ "business_criticality": "Low",
+ "business_owner": "Teresa Sears",
+ "devices_count": 0,
+ "devices_count_link": [
+ {
+ "bracketWeight": 0,
+ "compOp": "equals",
+ "field": "adapters_data.service_now_adapter.cmdb_business_applications.sys_id",
+ "leftBracket": 0,
+ "logicOp": "",
+ "not": false,
+ "rightBracket": 0,
+ "value": "7e88c321-f547-4edf-a9c0-e7cff280cc22"
+ }
+ ],
+ "fetch_time": "Wed, 17 Dec 2025 00:02:56 GMT",
+ "first_fetch_time": "Tue, 16 Dec 2025 00:02:49 GMT",
+ "from_last_fetch": true,
+ "id": "58dc01a7857992bdbb7f",
+ "id_raw": "7e88c321-f547-4edf-a9c0-e7cff280cc22",
+ "install_status": "In Production",
+ "is_fetched_from_adapter": true,
+ "it_application_owner": "Wilma Connell",
+ "last_fetch_connection_id": "67fd0999fe1c8e812a176ba2",
+ "last_fetch_connection_label": "servicenow-dev",
+ "managed_by": "Stephen Kahaleua",
+ "name": "Quit for Life",
+ "not_fetched_count": 0,
+ "number": "APM0008088",
+ "operational_status": "In Production",
+ "remote_id": "F28ebA86E7D4B3F9F4FA",
+ "short_description": "Quit for Life is a smoking cessation program that treats every tobacco user as a unique individual and tailors a quitting program based on participants needs. This benefit is available to US NAM employee base.",
+ "source_application": "ServiceNow",
+ "tenant_number": [
+ "2"
+ ],
+ "type": "BusinessApplications",
+ "z_table_hierarchy": [
+ "cmdb_ci_business_app",
+ "cmdb_ci",
+ "cmdb"
+ ]
+ },
+ "initial_plugin_unique_name": "service_now_adapter_0",
+ "plugin_name": "service_now_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "service_now_adapter_0",
+ "quick_id": "service_now_adapter_0!58dc01a7857992bdbb7f",
+ "type": "entitydata"
+ }
+ ]
+ },
+ {
+ "internal_axon_id": "fa36eeaca80149f5f261fc18240de657",
+ "adapters": [
+ "service_now_adapter"
+ ],
+ "adapter_list_length": 1,
+ "specific_data": [
+ {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:03:13 GMT",
+ "adapter_categories": [
+ "CMDB",
+ "ITAM/ITSM",
+ "Ticketing",
+ "SaaS Management"
+ ],
+ "client_used": "67fd0999fe1c8e812a176ba2",
+ "data": {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:03:13 GMT",
+ "application_and_account_name": "servicenow/servicenow-dev",
+ "application_type": "SaaS",
+ "business_criticality": "Medium",
+ "business_owner": "Dorthy Barth",
+ "devices_count": 0,
+ "devices_count_link": [
+ {
+ "bracketWeight": 0,
+ "compOp": "equals",
+ "field": "adapters_data.service_now_adapter.cmdb_business_applications.sys_id",
+ "leftBracket": 0,
+ "logicOp": "",
+ "not": false,
+ "rightBracket": 0,
+ "value": "98369014-c3f8-407e-8158-59357719bbb0"
+ }
+ ],
+ "fetch_time": "Wed, 17 Dec 2025 00:02:56 GMT",
+ "first_fetch_time": "Tue, 16 Dec 2025 00:02:49 GMT",
+ "from_last_fetch": true,
+ "id": "6fb8c6bfd6ebe93798d5",
+ "id_raw": "98369014-c3f8-407e-8158-59357719bbb0",
+ "install_status": "In Production",
+ "is_fetched_from_adapter": true,
+ "it_application_owner": "Patrick Dawson",
+ "last_fetch_connection_id": "67fd0999fe1c8e812a176ba2",
+ "last_fetch_connection_label": "servicenow-dev",
+ "managed_by": "Jeannette Hamilton",
+ "name": "Twilio",
+ "not_fetched_count": 0,
+ "number": "APM0019397",
+ "operational_status": "In Production",
+ "remote_id": "4fba07bD51EF670CC350",
+ "short_description": "Twilio supports SMS service - Supports application registration through SMS - enables OTP-based SMS transactions",
+ "source_application": "ServiceNow",
+ "tenant_number": [
+ "1"
+ ],
+ "type": "BusinessApplications",
+ "z_table_hierarchy": [
+ "cmdb_ci_business_app",
+ "cmdb_ci",
+ "cmdb"
+ ]
+ },
+ "initial_plugin_unique_name": "service_now_adapter_0",
+ "plugin_name": "service_now_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "service_now_adapter_0",
+ "quick_id": "service_now_adapter_0!6fb8c6bfd6ebe93798d5",
+ "type": "entitydata"
+ }
+ ]
+ }
+ ],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 09:17:32 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 2,
+ "totalPages": 2,
+ "totalResources": 3
+ },
+ "next_page": "xyz",
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/saas_applications
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/software
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/application_settings
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/licenses
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/expenses
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [
+ {
+ "internal_axon_id": "21ae8c22895e7c031b589896f694d2d7",
+ "adapters": [
+ "expenses_csv_adapter"
+ ],
+ "adapter_list_length": 1,
+ "specific_data": [
+ {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:02:48 GMT",
+ "adapter_categories": [
+ "SaaS Management"
+ ],
+ "client_used": "67fd09f23c68ed1b541bb4bb",
+ "data": {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:02:48 GMT",
+ "amount": 360,
+ "application_and_account_name": "csv - expenses/expenses_csv-demo",
+ "department": "R&D",
+ "fetch_time": "Wed, 17 Dec 2025 00:02:48 GMT",
+ "first_fetch_time": "Sun, 14 Dec 2025 16:50:44 GMT",
+ "from_last_fetch": true,
+ "id": "a24384edf8e865475c10",
+ "id_raw": "10bf1488-dd28-4189-9d46-5b887dcbf47c",
+ "is_fetched_from_adapter": true,
+ "last_fetch_connection_id": "67fd09f23c68ed1b541bb4bb",
+ "last_fetch_connection_label": "expenses_csv-demo",
+ "not_fetched_count": 0,
+ "pretty_id": "AX-2427031329160723459",
+ "related_user": {
+ "email": "tomi.lynch@demo.local",
+ "full_name": {},
+ "remote_id": "62a204d1-6f2a-4cc0-a740-ed17a61bdcbd",
+ "username": "tomi.lynch@demo.local"
+ },
+ "related_vendor_name": "Salesforce",
+ "sm_entity_type": "expense",
+ "source_application": "CSV - Expenses",
+ "tenant_number": [
+ "2"
+ ],
+ "transaction_time": "Mon, 28 Jul 2025 14:31:35 GMT",
+ "type": "Expenses",
+ "user_email": "tomi.lynch@demo.local",
+ "vendor_category": "Productivity"
+ },
+ "initial_plugin_unique_name": "expenses_csv_adapter_0",
+ "plugin_name": "expenses_csv_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "expenses_csv_adapter_0",
+ "quick_id": "expenses_csv_adapter_0!a24384edf8e865475c10",
+ "type": "entitydata"
+ }
+ ]
+ },
+ {
+ "internal_axon_id": "71e8b4a61d0852bed23f3dbd8f5c86f6",
+ "adapters": [
+ "expenses_csv_adapter"
+ ],
+ "adapter_list_length": 1,
+ "specific_data": [
+ {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:02:48 GMT",
+ "adapter_categories": [
+ "SaaS Management"
+ ],
+ "client_used": "67fd09f23c68ed1b541bb4bb",
+ "data": {
+ "accurate_for_datetime": "Wed, 17 Dec 2025 00:02:48 GMT",
+ "amount": 258,
+ "application_and_account_name": "csv - expenses/expenses_csv-demo",
+ "department": "R&D",
+ "fetch_time": "Wed, 17 Dec 2025 00:02:48 GMT",
+ "first_fetch_time": "Sun, 14 Dec 2025 16:50:44 GMT",
+ "from_last_fetch": true,
+ "id": "f179adebeeef28c49a71",
+ "id_raw": "96c11552-4711-486c-b4d2-418df48a1f83",
+ "is_fetched_from_adapter": true,
+ "last_fetch_connection_id": "67fd09f23c68ed1b541bb4bb",
+ "last_fetch_connection_label": "expenses_csv-demo",
+ "not_fetched_count": 0,
+ "pretty_id": "AX-8208008946427384510",
+ "related_user": {
+ "email": "philip.arebalo@demo.local",
+ "full_name": {},
+ "remote_id": "53f02e9c-3522-4f39-9976-0f0c9f409ce2",
+ "username": "philip.arebalo@demo.local"
+ },
+ "related_vendor_name": "Linkedin",
+ "sm_entity_type": "expense",
+ "source_application": "CSV - Expenses",
+ "tenant_number": [
+ "2"
+ ],
+ "transaction_time": "Fri, 24 Oct 2025 14:31:35 GMT",
+ "type": "Expenses",
+ "user_email": "philip.arebalo@demo.local",
+ "vendor_category": "Social"
+ },
+ "initial_plugin_unique_name": "expenses_csv_adapter_0",
+ "plugin_name": "expenses_csv_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "expenses_csv_adapter_0",
+ "quick_id": "expenses_csv_adapter_0!f179adebeeef28c49a71",
+ "type": "entitydata"
+ }
+ ]
+ }
+ ],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:14:25 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 2,
+ "totalPages": 1,
+ "totalResources": 2
+ },
+ "next_page": "abc",
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/admin_managed_extensions
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/user_initiated_extensions
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/application_addons
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/admin_managed_extension_instances
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/user_initiated_extension_instances
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/application_addon_instances
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/application_keys
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/audit_activities
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/urls
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/application_services
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/application_resources
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
+
+ - path: /api/v2/assets/secrets
+ methods: ['POST']
+ request_headers:
+ Content-Type: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ request_body: /.*"page":{"limit":2}.*/
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "assets": [],
+ "meta": {
+ "cache_last_updated": "Wed, 17 Dec 2025 10:09:03 GMT",
+ "is_data_from_cache": true,
+ "page": {
+ "number": 1,
+ "size": 0,
+ "totalPages": 0,
+ "totalResources": 0
+ },
+ "expand_row": false,
+ "optimized_view": false,
+ "relation_fields_data": false
+ }
+ }
+ `}}
diff --git a/packages/axonius/changelog.yml b/packages/axonius/changelog.yml
new file mode 100644
index 00000000000..ed1b234a2eb
--- /dev/null
+++ b/packages/axonius/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+ changes:
+ - description: Initial release.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/16658
diff --git a/packages/axonius/data_stream/application/_dev/test/pipeline/test-application.log b/packages/axonius/data_stream/application/_dev/test/pipeline/test-application.log
new file mode 100644
index 00000000000..2083c59f56f
--- /dev/null
+++ b/packages/axonius/data_stream/application/_dev/test/pipeline/test-application.log
@@ -0,0 +1,8 @@
+{"asset_type":"urls","internal_axon_id":"9c65d891077147892d0e632eb0cf6ebf","adapters":["okta_adapter"],"adapter_list_length":1,"event":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:55 GMT","adapter_categories":["IAM","SaaS Management"],"client_used":"67fd09cd782eb39db73d1af1","data":{"domain":"example-domain","accurate_for_datetime":"Thu, 13 Nov 2025 00:02:55 GMT","activity_status_active":0,"activity_status_active_hyperlink":[{"compOp":"equals","field":"specific_data.data.activity_status","leftBracket":0,"logicOp":"and","not":false,"rightBracket":0,"value":"Active"}],"activity_status_inactive":288,"activity_status_inactive_hyperlink":[{"compOp":"equals","field":"specific_data.data.activity_status","leftBracket":0,"logicOp":"and","not":false,"rightBracket":0,"value":"Inactive"}],"app_id":"990f042e1d803894A3ae","application_and_account_name":"okta/okta-demo","auth_type":[],"created":"Wed, 25 Dec 2024 22:17:25 GMT","extension_type":"SSO","fetch_time":"Thu, 13 Nov 2025 00:02:18 GMT","first_fetch_time":"Mon, 14 Apr 2025 13:27:09 GMT","first_seen":"Mon, 22 Apr 2024 21:22:25 GMT","from_last_fetch":true,"grant_types":[],"id":"cd2f40fe8670900112ab","id_raw":"okta_adapter_0!990f042e1d803894A3ae","integration_type":"Admin Managed","is_admin":16,"is_admin_hyperlink":[{"compOp":"true","field":"specific_data.data.permissions.is_admin","leftBracket":0,"logicOp":"and","not":false,"rightBracket":0}],"is_fetched_from_adapter":true,"is_identity":0,"is_identity_hyperlink":[{"compOp":"true","field":"specific_data.data.permissions.is_identity","leftBracket":0,"logicOp":"and","not":false,"rightBracket":0}],"is_operational":true,"last_fetch_connection_id":"67fd09cd782eb39db73d1af1","last_fetch_connection_label":"okta-demo","last_seen":"Mon, 07 Apr 2025 13:05:30 GMT","last_used":"Mon, 07 Apr 2025 13:05:30 GMT","name":"Cloudflare","not_fetched_count":0,"permissions":[{"is_admin":true,"name":"allow_api_access_to_account","users_amount":9}],"redirect_uris":[],"related_vendor_name":"Cloudflare","scope_tag_calendar":0,"scope_tag_calendar_hyperlink":[{"compOp":"equals","field":"specific_data.data.app_id","leftBracket":0,"logicOp":"and","not":false,"rightBracket":0,"value":"990f042e1d803894A3ae"}],"scope_tag_drive":0,"scope_tag_drive_hyperlink":[{"compOp":"equals","field":"specific_data.data.permissions.scope_tag","leftBracket":0,"logicOp":"and","not":false,"rightBracket":0,"value":"Drive"}],"scope_tag_mail":0,"scope_tag_mail_hyperlink":[{"compOp":"equals","field":"specific_data.data.permissions.scope_tag","leftBracket":0,"logicOp":"and","not":false,"rightBracket":0,"value":"Mail"}],"source_application":"Okta","type":"Extensions","urls":[],"user_count":288,"user_count_link":[{"bracketWeight":0,"compOp":"IN","field":"specific_data.data.mail","leftBracket":0,"logicOp":"","not":false,"rightBracket":0,"value":"ronald.mays@demo.local,justin.baugh@demo.local,brian.williamskaren.cox@demo.local,bill.mcnay@demo.local,billy.woodruff@demo.local,hazel.contreras@demo.local,eduardo.mandeville@demo.local,karen.neal@demo.local,troy.hooper@demo.local,andreas.rice@demo.local,janis.henry@demo.local,mary.tavares@demo.local,patrick.rowe@demo.local,kenneth.gardner@demo.local,paul.hendricks@demo.local,tanya.wolf@demo.local,kathleen.arroliga@demo.local,robert.blunt@demo.local,charles.duncan@demo.local,margarita.zapata@demo.local,charles.paredes@demo.local,floyd.conrad@demo.local,tammy.hawkins@demo.local,sam.chavez@demo.local,francis.rivera@demo.local,brandon.lilly@demo.local,matthew.wiley@demo.local,lacey.smith@demo.local,tracy.white@demo.local"}],"username_formats":[],"users_amount":288},"initial_plugin_unique_name":"okta_adapter_0","plugin_name":"okta_adapter","plugin_type":"Adapter","plugin_unique_name":"okta_adapter_0","quick_id":"okta_adapter_0!cd2f40fe8670900112ab","type":"entitydata"}}
+{"asset_type":"business_applications","internal_axon_id":"549124569ada556cf7e2ae7a148de3fe","adapters":["service_now_adapter"],"adapter_list_length":1,"event":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:04:11 GMT","adapter_categories":["CMDB","ITAM/ITSM","Ticketing","SaaS Management"],"client_used":"67fd09aa731ccb57309230f8","data":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:04:11 GMT","application_and_account_name":"servicenow/servicenow-prod","application_type":"Homegrown","business_criticality":"High","business_owner":"Janis Henry","devices_count":0,"devices_count_link":[{"bracketWeight":0,"compOp":"equals","field":"adapters_data.service_now_adapter.cmdb_business_applications.sys_id","leftBracket":0,"logicOp":"","not":false,"rightBracket":0,"value":"71260cc7-51e7-4a81-8101-3a59642126c9"}],"fetch_time":"Thu, 13 Nov 2025 00:04:03 GMT","first_fetch_time":"Mon, 14 Apr 2025 13:28:21 GMT","from_last_fetch":true,"id":"f0091f184b3a144487d5","id_raw":"71260cc7-51e7-4a81-8101-3a59642126c9","install_status":"In Production","is_fetched_from_adapter":true,"it_application_owner":"Catherine Robertson","last_fetch_connection_id":"67fd09aa731ccb57309230f8","last_fetch_connection_label":"servicenow-prod","managed_by":"Chester Mccain","name":"Panorama Logistico","not_fetched_count":0,"number":"APM0017184","operational_status":"In Production","remote_id":"Ac89fbCFD333903d6Af2","short_description":"All Purchase Cycle Follow. In-house development in .net, taking information from SAP using a text file for Trade Commerce. This tool is used in PERU site and the source information is a file download from IBERIAN SAP. It will be decommissioned during this year and wi will put in place softway.","software_cves":[],"source_application":"ServiceNow","tenant_number":["3"],"type":"BusinessApplications","z_table_hierarchy":["cmdb_ci_business_app","cmdb_ci","cmdb"]},"initial_plugin_unique_name":"service_now_adapter_0","plugin_name":"service_now_adapter","plugin_type":"Adapter","plugin_unique_name":"service_now_adapter_0","quick_id":"service_now_adapter_0!f0091f184b3a144487d5","type":"entitydata"}}
+{"asset_type":"audit_activities","internal_axon_id":"cf0ca5c467254d8893ec19395ac33ab7","adapters":["salesforce_adapter"],"adapter_list_length":1,"event":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:27 GMT","adapter_categories":["CRM","SaaS Management"],"client_used":"67fd09ddfe1c8e812a176bc3","data":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:27 GMT","action":{"name":"Login Event","timestamp":"Wed, 26 Feb 2025 03:45:26 GMT","type":"Login Event"},"actor":{"username":"silvana.bowman@demo.local"},"actor_state":{"location":{"country":"USA","remote_ip":"1.128.0.0"},"remote_ip":"1.128.0.0"},"application_and_account_name":"salesforce/salesforce-dev","custom_properties":{"is_identity":true},"fetch_time":"Thu, 13 Nov 2025 00:02:25 GMT","first_fetch_time":"Mon, 14 Apr 2025 13:27:00 GMT","from_last_fetch":true,"id":"ad4f3d8016a9d5ea2956","id_raw":"7ac7b754-9deb-4a89-a416-e0ef9fe573bd","is_fetched_from_adapter":true,"last_fetch_connection_id":"67fd09ddfe1c8e812a176bc3","last_fetch_connection_label":"salesforce-dev","name":"Login Event","not_fetched_count":0,"owner":"silvana.bowman@demo.local","pretty_id":"AX-3473712580","sm_entity_type":"audit_activity","source_application":"Salesforce","tenant_number":["2"],"type":"AuditActivities"},"initial_plugin_unique_name":"salesforce_adapter_0","plugin_name":"salesforce_adapter","plugin_type":"Adapter","plugin_unique_name":"salesforce_adapter_0","quick_id":"salesforce_adapter_0!ad4f3d8016a9d5ea2956","type":"entitydata"}}
+{"asset_type":"saas_applications","internal_axon_id":"d091d1a7c381cc61708f62f3bf11555b","adapters":["axonius_catalog_adapter","axonius_discovery_adapter","axonius_discovery_adapter"],"adapter_list_length":4,"labels":["HHa - Needs review","MR","Needs Review - DT","Needs Review - JJRA","“Needs Review - ECG"],"event":{"accurate_for_datetime":"Sun, 05 Oct 2025 12:09:51 GMT","action_if_exists":"update","associated_adapters":[],"association_type":"Tag","data":{"approval_status":"Approved"},"entity":"saas_applications","hidden_for_gui":true,"name":"static_analysis_0_SaaSApplicationApprovalStatusSchema","plugin_name":"static_analysis","plugin_unique_name":"static_analysis_0_SaaSApplicationApprovalStatusSchema","type":"adapterdata"}}
+{"asset_type":"application_settings","internal_axon_id":"b2462f7fb4d545b41ddf371763dae331","adapters":["salesforce_adapter"],"adapter_list_length":1,"event":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:31 GMT","adapter_categories":["CRM","SaaS Management"],"client_used":"67fd09ddfe1c8e812a176bc3","data":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:31 GMT","application_and_account_name":"salesforce/salesforce-dev","configuration_values":[{"configuration_value":"Setting is enabled","entity_remote_id":"00E8e000000BI4Kc36","is_valid":false,"name":"MARYS_ROLE","raw_setting_name":"Manage Certificates","recommendation":"Disabled","role":{"display_name":"MARYS_ROLE","remote_id":"00E8e000000BI4Kc36"},"value":"True"}],"fetch_time":"Thu, 13 Nov 2025 00:02:27 GMT","first_fetch_time":"Mon, 14 Apr 2025 13:27:02 GMT","from_last_fetch":true,"id":"60b00136f2ff4d7e6c01","id_raw":"Salesforce-cf25e6fb-db83-4d44-b0be-94ff3f06a038-67fd09ddfe1c8e812a176bc3","impact":"Recommendation","is_excluded":false,"is_fetched_from_adapter":true,"last_fetch_connection_id":"67fd09ddfe1c8e812a176bc3","last_fetch_connection_label":"salesforce-dev","level":"Role","link":"https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home","link_path":"Select a profile > Click on 'System Permissions' > Find 'Manage Certificates'","name":"External authentication","not_fetched_count":0,"product_name":"Salesforce","raw_setting_name":"Manage Certificates","raw_setting_value":"MULTIPLE VALUES","recommendation":"Disabled","recommendation_description":"Extremely restrict \"Manage Certificates\" to very few trusted administrators. Certificates are foundational to Salesforce security; unauthorized management risks communication compromise, authentication bypass, and data integrity. Rigorous control and logging are essential, aligning with ISO 27001, NIST CSF, PCI DSS, and OWASP Top 10.","related_vendor_name":"Salesforce","setting_description":"This permission allows managing digital certificates in Salesforce, vital for secure communication, SSO, and API integrations.","setting_name":"External authentication","setting_type":"Authentication","settings_score":0,"settings_status":"misconfigured","sm_entity_type":"application_setting","source_application":"Salesforce","standards":[],"type":"ApplicationSettings","vendor_category":"Sales","vendor_setting":{"_id":"cf25e6fb-db83-4d44-b0be-94ff3f06a038","exceptions":[],"is_relevant":true,"lambda_name":"LM_BOOLEAN_CHECK_DISABLED","level":"Role","link":"https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home","link_path":"Select a profile > Click on 'System Permissions' > Find 'Manage Certificates'","product":"Salesforce","raw_setting_name":"Manage Certificates","raw_setting_value_type":"LM_RET_BOOL","raw_validation_rule":"lambda value: value == \"Setting is disabled\"","recommendation_reason":"Extremely restrict \"Manage Certificates\" to very few trusted administrators. Certificates are foundational to Salesforce security; unauthorized management risks communication compromise, authentication bypass, and data integrity. Rigorous control and logging are essential, aligning with ISO 27001, NIST CSF, PCI DSS, and OWASP Top 10.","scope":"Salesforce","setting_description":"This permission allows managing digital certificates in Salesforce, vital for secure communication, SSO, and API integrations.","xsetting":{"_id":"d8f9d702-1692-4330-be60-dbc98106e079","impact":0,"setting_type":{"name":"Authentication"},"xsetting_name":"External authentication"}}},"initial_plugin_unique_name":"salesforce_adapter_0","plugin_name":"salesforce_adapter","plugin_type":"Adapter","plugin_unique_name":"salesforce_adapter_0","quick_id":"salesforce_adapter_0!60b00136f2ff4d7e6c01","type":"entitydata"}}
+{"asset_type":"licenses","internal_axon_id":"0685616afbf903f022923548abb10f21","adapters":["google_mdm_adapter"],"adapter_list_length":1,"event":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:03:31 GMT","adapter_categories":["IAM","MDM/EMM","SaaS Management"],"client_used":"67fd09f2fe1c8e812a176bcf","data":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:03:31 GMT","actual_renewal_date":"Sun, 12 Oct 2025 02:33:56 GMT","application_and_account_name":"google workspace/google_mdm-demo","associated_users":[{"user_activity_status":"Active","username":"bobby.browning@demo.local"}],"cost":3550,"created":"Sat, 12 Oct 2024 02:33:56 GMT","end_date":"Sun, 12 Oct 2025 02:33:56 GMT","fetch_time":"Thu, 13 Nov 2025 00:03:19 GMT","first_fetch_time":"Mon, 14 Apr 2025 13:27:36 GMT","from_last_fetch":true,"id":"319f2f6c5d26788d0233","id_raw":"javier.smith@demo.local_Google Workspace Enterprise Starter_2024-10-12 02:33:56.356025","is_active_license":true,"is_active_license_from_adapter":true,"is_fetched_from_adapter":true,"last_fetch_connection_id":"67fd09f2fe1c8e812a176bcf","last_fetch_connection_label":"google_mdm-demo","license_estimated_monthly_cost":295.8333333333333,"license_estimated_yearly_cost":3550,"license_name":"Google Workspace Enterprise Starter","license_type":"Paid","name":"Google Workspace Enterprise Starter","not_fetched_count":0,"number_of_active_associated_users":38,"number_of_associated_users":47,"number_of_inactive_associated_users":9,"owner":"javier.smith@demo.local","possible_savings_of_inactive_associated_users":225,"pricing_unit":"User","quantity":142,"related_vendor_name":"Google Workspace","sm_entity_type":"license","source_application":"Google Workspace","start_date":"Sat, 12 Oct 2024 02:33:56 GMT","subscription_term":"Yearly","tenant_number":["3"],"type":"Licenses","unit_price":25},"initial_plugin_unique_name":"google_mdm_adapter_0","plugin_name":"google_mdm_adapter","plugin_type":"Adapter","plugin_unique_name":"google_mdm_adapter_0","quick_id":"google_mdm_adapter_0!319f2f6c5d26788d0233","type":"entitydata"}}
+{"asset_type":"expenses","internal_axon_id":"650e22d6e94f66e1e0e9a84f5367ef10","adapters":["expenses_csv_adapter"],"adapter_list_length":1,"event":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:48 GMT","adapter_categories":["SaaS Management"],"client_used":"67fd09f23c68ed1b541bb4bb","data":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:02:48 GMT","amount":122,"application_and_account_name":"csv - expenses/expenses_csv-demo","department":"Finance","fetch_time":"Thu, 13 Nov 2025 00:02:47 GMT","first_fetch_time":"Mon, 14 Apr 2025 13:27:23 GMT","from_last_fetch":true,"id":"bc980236c772e609eee7","id_raw":"639d7122-64aa-46de-bf21-b0fb67b64f9a","is_fetched_from_adapter":true,"last_fetch_connection_id":"67fd09f23c68ed1b541bb4bb","last_fetch_connection_label":"expenses_csv-demo","not_fetched_count":0,"pretty_id":"AX-1695425238","related_user":{"email":"david.plummer@demo.local","full_name":{},"remote_id":"24aa5fbc-ac92-4234-a246-04bfc6adc67c","username":"david.plummer@demo.local"},"related_vendor_name":"Dropbox","sm_entity_type":"expense","source_application":"CSV - Expenses","tenant_number":["2"],"transaction_time":"Tue, 14 Jan 2025 13:19:15 GMT","type":"Expenses","user_email":"david.plummer@demo.local","vendor_category":"File Sharing"},"initial_plugin_unique_name":"expenses_csv_adapter_0","plugin_name":"expenses_csv_adapter","plugin_type":"Adapter","plugin_unique_name":"expenses_csv_adapter_0","quick_id":"expenses_csv_adapter_0!bc980236c772e609eee7","type":"entitydata"}}
+{"asset_type":"software","internal_axon_id":"719c5be77e2cda2f0257833ab6e810f9","adapters":["axonius_catalog_adapter","chef_adapter","counter_act_adapter","tenable_security_center_adapter"],"_id":"oracle:mysql","event":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:10:22 GMT","client_used":"Internal","data":{"accurate_for_datetime":"Thu, 13 Nov 2025 00:10:22 GMT","categories":["Data Base Management"],"first_seen":"Mon, 14 Apr 2025 13:36:12 GMT","id":"oracle:mysql","installed_software":[{"end_of_support":"Wed, 30 Apr 2025 00:00:00 GMT","has_reached_end_of_support":true,"name":"MySQL","vendor":"Oracle Corporation","vendor_publisher":["Oracle Corporation"],"version":"8.0.41"}],"sub_category":["SQL Databases"]},"initial_plugin_unique_name":"axonius_catalog_adapter","plugin_name":"axonius_catalog_adapter","plugin_type":"Internal","plugin_unique_name":"axonius_catalog_adapter","quick_id":"axonius_catalog_adapter!oracle:mysql","type":"entitydata"}}
diff --git a/packages/axonius/data_stream/application/_dev/test/pipeline/test-application.log-expected.json b/packages/axonius/data_stream/application/_dev/test/pipeline/test-application.log-expected.json
new file mode 100644
index 00000000000..03a061d2208
--- /dev/null
+++ b/packages/axonius/data_stream/application/_dev/test/pipeline/test-application.log-expected.json
@@ -0,0 +1,773 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-11-13T00:02:55.000Z",
+ "axonius": {
+ "application": {
+ "adapter_list_length": 1,
+ "adapters": [
+ "okta_adapter"
+ ],
+ "asset_type": "urls",
+ "event": {
+ "accurate_for_datetime": "2025-11-13T00:02:55.000Z",
+ "adapter_categories": [
+ "IAM",
+ "SaaS Management"
+ ],
+ "client_used": "67fd09cd782eb39db73d1af1",
+ "data": {
+ "accurate_for_datetime": "2025-11-13T00:02:55.000Z",
+ "activity_status_active": 0,
+ "activity_status_active_hyperlink": [
+ {
+ "compOp": "equals",
+ "field": "specific_data.data.activity_status",
+ "leftBracket": 0,
+ "logicOp": "and",
+ "not": false,
+ "rightBracket": 0,
+ "value": "Active"
+ }
+ ],
+ "activity_status_inactive": 288,
+ "activity_status_inactive_hyperlink": [
+ {
+ "compOp": "equals",
+ "field": "specific_data.data.activity_status",
+ "leftBracket": 0,
+ "logicOp": "and",
+ "not": false,
+ "rightBracket": 0,
+ "value": "Inactive"
+ }
+ ],
+ "app_id": "990f042e1d803894A3ae",
+ "application_and_account_name": "okta/okta-demo",
+ "created": "2024-12-25T22:17:25.000Z",
+ "extension_type": "SSO",
+ "fetch_time": "2025-11-13T00:02:18.000Z",
+ "first_fetch_time": "2025-04-14T13:27:09.000Z",
+ "first_seen": "2024-04-22T21:22:25.000Z",
+ "from_last_fetch": true,
+ "id": "cd2f40fe8670900112ab",
+ "id_raw": "okta_adapter_0!990f042e1d803894A3ae",
+ "integration_type": "Admin Managed",
+ "is_admin": 16,
+ "is_admin_hyperlink": [
+ {
+ "compOp": "true",
+ "field": "specific_data.data.permissions.is_admin",
+ "leftBracket": 0,
+ "logicOp": "and",
+ "not": false,
+ "rightBracket": 0
+ }
+ ],
+ "is_fetched_from_adapter": true,
+ "is_identity": 0,
+ "is_identity_hyperlink": [
+ {
+ "compOp": "true",
+ "field": "specific_data.data.permissions.is_identity",
+ "leftBracket": 0,
+ "logicOp": "and",
+ "not": false,
+ "rightBracket": 0
+ }
+ ],
+ "is_operational": true,
+ "last_fetch_connection_id": "67fd09cd782eb39db73d1af1",
+ "last_fetch_connection_label": "okta-demo",
+ "last_seen": "2025-04-07T13:05:30.000Z",
+ "last_used": "2025-04-07T13:05:30.000Z",
+ "name": "Cloudflare",
+ "not_fetched_count": 0,
+ "related_vendor_name": "Cloudflare",
+ "scope_tag_calendar": 0,
+ "scope_tag_calendar_hyperlink": [
+ {
+ "compOp": "equals",
+ "field": "specific_data.data.app_id",
+ "leftBracket": 0,
+ "logicOp": "and",
+ "not": false,
+ "rightBracket": 0,
+ "value": "990f042e1d803894A3ae"
+ }
+ ],
+ "scope_tag_drive": 0,
+ "scope_tag_drive_hyperlink": [
+ {
+ "compOp": "equals",
+ "field": "specific_data.data.permissions.scope_tag",
+ "leftBracket": 0,
+ "logicOp": "and",
+ "not": false,
+ "rightBracket": 0,
+ "value": "Drive"
+ }
+ ],
+ "scope_tag_mail": 0,
+ "scope_tag_mail_hyperlink": [
+ {
+ "compOp": "equals",
+ "field": "specific_data.data.permissions.scope_tag",
+ "leftBracket": 0,
+ "logicOp": "and",
+ "not": false,
+ "rightBracket": 0,
+ "value": "Mail"
+ }
+ ],
+ "source_application": "Okta",
+ "type": "Extensions",
+ "user_count": 288,
+ "user_count_link": [
+ {
+ "bracketWeight": 0,
+ "compOp": "IN",
+ "field": "specific_data.data.mail",
+ "leftBracket": 0,
+ "not": false,
+ "rightBracket": 0,
+ "value": "ronald.mays@demo.local,justin.baugh@demo.local,brian.williamskaren.cox@demo.local,bill.mcnay@demo.local,billy.woodruff@demo.local,hazel.contreras@demo.local,eduardo.mandeville@demo.local,karen.neal@demo.local,troy.hooper@demo.local,andreas.rice@demo.local,janis.henry@demo.local,mary.tavares@demo.local,patrick.rowe@demo.local,kenneth.gardner@demo.local,paul.hendricks@demo.local,tanya.wolf@demo.local,kathleen.arroliga@demo.local,robert.blunt@demo.local,charles.duncan@demo.local,margarita.zapata@demo.local,charles.paredes@demo.local,floyd.conrad@demo.local,tammy.hawkins@demo.local,sam.chavez@demo.local,francis.rivera@demo.local,brandon.lilly@demo.local,matthew.wiley@demo.local,lacey.smith@demo.local,tracy.white@demo.local"
+ }
+ ],
+ "users_amount": 288
+ },
+ "initial_plugin_unique_name": "okta_adapter_0",
+ "plugin_name": "okta_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "okta_adapter_0",
+ "quick_id": "okta_adapter_0!cd2f40fe8670900112ab",
+ "type": "entitydata"
+ },
+ "internal_axon_id": "9c65d891077147892d0e632eb0cf6ebf",
+ "transform_unique_id": "m7762mF4pH/mnjZWE7SnM2IglD0="
+ }
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "created": "2024-12-25T22:17:25.000Z",
+ "kind": "event",
+ "original": "{\"asset_type\":\"urls\",\"internal_axon_id\":\"9c65d891077147892d0e632eb0cf6ebf\",\"adapters\":[\"okta_adapter\"],\"adapter_list_length\":1,\"event\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:55 GMT\",\"adapter_categories\":[\"IAM\",\"SaaS Management\"],\"client_used\":\"67fd09cd782eb39db73d1af1\",\"data\":{\"domain\":\"example-domain\",\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:55 GMT\",\"activity_status_active\":0,\"activity_status_active_hyperlink\":[{\"compOp\":\"equals\",\"field\":\"specific_data.data.activity_status\",\"leftBracket\":0,\"logicOp\":\"and\",\"not\":false,\"rightBracket\":0,\"value\":\"Active\"}],\"activity_status_inactive\":288,\"activity_status_inactive_hyperlink\":[{\"compOp\":\"equals\",\"field\":\"specific_data.data.activity_status\",\"leftBracket\":0,\"logicOp\":\"and\",\"not\":false,\"rightBracket\":0,\"value\":\"Inactive\"}],\"app_id\":\"990f042e1d803894A3ae\",\"application_and_account_name\":\"okta/okta-demo\",\"auth_type\":[],\"created\":\"Wed, 25 Dec 2024 22:17:25 GMT\",\"extension_type\":\"SSO\",\"fetch_time\":\"Thu, 13 Nov 2025 00:02:18 GMT\",\"first_fetch_time\":\"Mon, 14 Apr 2025 13:27:09 GMT\",\"first_seen\":\"Mon, 22 Apr 2024 21:22:25 GMT\",\"from_last_fetch\":true,\"grant_types\":[],\"id\":\"cd2f40fe8670900112ab\",\"id_raw\":\"okta_adapter_0!990f042e1d803894A3ae\",\"integration_type\":\"Admin Managed\",\"is_admin\":16,\"is_admin_hyperlink\":[{\"compOp\":\"true\",\"field\":\"specific_data.data.permissions.is_admin\",\"leftBracket\":0,\"logicOp\":\"and\",\"not\":false,\"rightBracket\":0}],\"is_fetched_from_adapter\":true,\"is_identity\":0,\"is_identity_hyperlink\":[{\"compOp\":\"true\",\"field\":\"specific_data.data.permissions.is_identity\",\"leftBracket\":0,\"logicOp\":\"and\",\"not\":false,\"rightBracket\":0}],\"is_operational\":true,\"last_fetch_connection_id\":\"67fd09cd782eb39db73d1af1\",\"last_fetch_connection_label\":\"okta-demo\",\"last_seen\":\"Mon, 07 Apr 2025 13:05:30 GMT\",\"last_used\":\"Mon, 07 Apr 2025 13:05:30 GMT\",\"name\":\"Cloudflare\",\"not_fetched_count\":0,\"permissions\":[{\"is_admin\":true,\"name\":\"allow_api_access_to_account\",\"users_amount\":9}],\"redirect_uris\":[],\"related_vendor_name\":\"Cloudflare\",\"scope_tag_calendar\":0,\"scope_tag_calendar_hyperlink\":[{\"compOp\":\"equals\",\"field\":\"specific_data.data.app_id\",\"leftBracket\":0,\"logicOp\":\"and\",\"not\":false,\"rightBracket\":0,\"value\":\"990f042e1d803894A3ae\"}],\"scope_tag_drive\":0,\"scope_tag_drive_hyperlink\":[{\"compOp\":\"equals\",\"field\":\"specific_data.data.permissions.scope_tag\",\"leftBracket\":0,\"logicOp\":\"and\",\"not\":false,\"rightBracket\":0,\"value\":\"Drive\"}],\"scope_tag_mail\":0,\"scope_tag_mail_hyperlink\":[{\"compOp\":\"equals\",\"field\":\"specific_data.data.permissions.scope_tag\",\"leftBracket\":0,\"logicOp\":\"and\",\"not\":false,\"rightBracket\":0,\"value\":\"Mail\"}],\"source_application\":\"Okta\",\"type\":\"Extensions\",\"urls\":[],\"user_count\":288,\"user_count_link\":[{\"bracketWeight\":0,\"compOp\":\"IN\",\"field\":\"specific_data.data.mail\",\"leftBracket\":0,\"logicOp\":\"\",\"not\":false,\"rightBracket\":0,\"value\":\"ronald.mays@demo.local,justin.baugh@demo.local,brian.williamskaren.cox@demo.local,bill.mcnay@demo.local,billy.woodruff@demo.local,hazel.contreras@demo.local,eduardo.mandeville@demo.local,karen.neal@demo.local,troy.hooper@demo.local,andreas.rice@demo.local,janis.henry@demo.local,mary.tavares@demo.local,patrick.rowe@demo.local,kenneth.gardner@demo.local,paul.hendricks@demo.local,tanya.wolf@demo.local,kathleen.arroliga@demo.local,robert.blunt@demo.local,charles.duncan@demo.local,margarita.zapata@demo.local,charles.paredes@demo.local,floyd.conrad@demo.local,tammy.hawkins@demo.local,sam.chavez@demo.local,francis.rivera@demo.local,brandon.lilly@demo.local,matthew.wiley@demo.local,lacey.smith@demo.local,tracy.white@demo.local\"}],\"username_formats\":[],\"users_amount\":288},\"initial_plugin_unique_name\":\"okta_adapter_0\",\"plugin_name\":\"okta_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"okta_adapter_0\",\"quick_id\":\"okta_adapter_0!cd2f40fe8670900112ab\",\"type\":\"entitydata\"}}"
+ },
+ "related": {
+ "user": [
+ "ronald.mays@demo.local,justin.baugh@demo.local,brian.williamskaren.cox@demo.local,bill.mcnay@demo.local,billy.woodruff@demo.local,hazel.contreras@demo.local,eduardo.mandeville@demo.local,karen.neal@demo.local,troy.hooper@demo.local,andreas.rice@demo.local,janis.henry@demo.local,mary.tavares@demo.local,patrick.rowe@demo.local,kenneth.gardner@demo.local,paul.hendricks@demo.local,tanya.wolf@demo.local,kathleen.arroliga@demo.local,robert.blunt@demo.local,charles.duncan@demo.local,margarita.zapata@demo.local,charles.paredes@demo.local,floyd.conrad@demo.local,tammy.hawkins@demo.local,sam.chavez@demo.local,francis.rivera@demo.local,brandon.lilly@demo.local,matthew.wiley@demo.local,lacey.smith@demo.local,tracy.white@demo.local"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2025-11-13T00:04:11.000Z",
+ "axonius": {
+ "application": {
+ "adapter_list_length": 1,
+ "adapters": [
+ "service_now_adapter"
+ ],
+ "asset_type": "business_applications",
+ "event": {
+ "accurate_for_datetime": "2025-11-13T00:04:11.000Z",
+ "adapter_categories": [
+ "CMDB",
+ "ITAM/ITSM",
+ "Ticketing",
+ "SaaS Management"
+ ],
+ "client_used": "67fd09aa731ccb57309230f8",
+ "data": {
+ "accurate_for_datetime": "2025-11-13T00:04:11.000Z",
+ "application_and_account_name": "servicenow/servicenow-prod",
+ "application_type": "Homegrown",
+ "business_criticality": "High",
+ "business_owner": "Janis Henry",
+ "devices_count": 0,
+ "devices_count_link": [
+ {
+ "bracketWeight": 0,
+ "comp_op": "equals",
+ "field": "adapters_data.service_now_adapter.cmdb_business_applications.sys_id",
+ "leftBracket": 0,
+ "not": false,
+ "rightBracket": 0,
+ "value": "71260cc7-51e7-4a81-8101-3a59642126c9"
+ }
+ ],
+ "fetch_time": "2025-11-13T00:04:03.000Z",
+ "first_fetch_time": "2025-04-14T13:28:21.000Z",
+ "from_last_fetch": true,
+ "id": "f0091f184b3a144487d5",
+ "id_raw": "71260cc7-51e7-4a81-8101-3a59642126c9",
+ "install_status": "In Production",
+ "is_fetched_from_adapter": true,
+ "it_application_owner": "Catherine Robertson",
+ "last_fetch_connection_id": "67fd09aa731ccb57309230f8",
+ "last_fetch_connection_label": "servicenow-prod",
+ "managed_by": "Chester Mccain",
+ "name": "Panorama Logistico",
+ "not_fetched_count": 0,
+ "number": "APM0017184",
+ "operational_status": "In Production",
+ "remote_id": "Ac89fbCFD333903d6Af2",
+ "short_description": "All Purchase Cycle Follow. In-house development in .net, taking information from SAP using a text file for Trade Commerce. This tool is used in PERU site and the source information is a file download from IBERIAN SAP. It will be decommissioned during this year and wi will put in place softway.",
+ "source_application": "ServiceNow",
+ "tenant_number": [
+ "3"
+ ],
+ "type": "BusinessApplications"
+ },
+ "initial_plugin_unique_name": "service_now_adapter_0",
+ "plugin_name": "service_now_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "service_now_adapter_0",
+ "quick_id": "service_now_adapter_0!f0091f184b3a144487d5",
+ "type": "entitydata"
+ },
+ "internal_axon_id": "549124569ada556cf7e2ae7a148de3fe",
+ "transform_unique_id": "rXo/nu79rJcFGeyXu9Ms43hczIA="
+ }
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "kind": "event",
+ "original": "{\"asset_type\":\"business_applications\",\"internal_axon_id\":\"549124569ada556cf7e2ae7a148de3fe\",\"adapters\":[\"service_now_adapter\"],\"adapter_list_length\":1,\"event\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:04:11 GMT\",\"adapter_categories\":[\"CMDB\",\"ITAM/ITSM\",\"Ticketing\",\"SaaS Management\"],\"client_used\":\"67fd09aa731ccb57309230f8\",\"data\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:04:11 GMT\",\"application_and_account_name\":\"servicenow/servicenow-prod\",\"application_type\":\"Homegrown\",\"business_criticality\":\"High\",\"business_owner\":\"Janis Henry\",\"devices_count\":0,\"devices_count_link\":[{\"bracketWeight\":0,\"compOp\":\"equals\",\"field\":\"adapters_data.service_now_adapter.cmdb_business_applications.sys_id\",\"leftBracket\":0,\"logicOp\":\"\",\"not\":false,\"rightBracket\":0,\"value\":\"71260cc7-51e7-4a81-8101-3a59642126c9\"}],\"fetch_time\":\"Thu, 13 Nov 2025 00:04:03 GMT\",\"first_fetch_time\":\"Mon, 14 Apr 2025 13:28:21 GMT\",\"from_last_fetch\":true,\"id\":\"f0091f184b3a144487d5\",\"id_raw\":\"71260cc7-51e7-4a81-8101-3a59642126c9\",\"install_status\":\"In Production\",\"is_fetched_from_adapter\":true,\"it_application_owner\":\"Catherine Robertson\",\"last_fetch_connection_id\":\"67fd09aa731ccb57309230f8\",\"last_fetch_connection_label\":\"servicenow-prod\",\"managed_by\":\"Chester Mccain\",\"name\":\"Panorama Logistico\",\"not_fetched_count\":0,\"number\":\"APM0017184\",\"operational_status\":\"In Production\",\"remote_id\":\"Ac89fbCFD333903d6Af2\",\"short_description\":\"All Purchase Cycle Follow. In-house development in .net, taking information from SAP using a text file for Trade Commerce. This tool is used in PERU site and the source information is a file download from IBERIAN SAP. It will be decommissioned during this year and wi will put in place softway.\",\"software_cves\":[],\"source_application\":\"ServiceNow\",\"tenant_number\":[\"3\"],\"type\":\"BusinessApplications\",\"z_table_hierarchy\":[\"cmdb_ci_business_app\",\"cmdb_ci\",\"cmdb\"]},\"initial_plugin_unique_name\":\"service_now_adapter_0\",\"plugin_name\":\"service_now_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"service_now_adapter_0\",\"quick_id\":\"service_now_adapter_0!f0091f184b3a144487d5\",\"type\":\"entitydata\"}}"
+ },
+ "related": {
+ "user": [
+ "Janis Henry",
+ "Catherine Robertson",
+ "Chester Mccain"
+ ]
+ },
+ "service": {
+ "type": "Homegrown"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2025-11-13T00:02:27.000Z",
+ "axonius": {
+ "application": {
+ "adapter_list_length": 1,
+ "adapters": [
+ "salesforce_adapter"
+ ],
+ "asset_type": "audit_activities",
+ "event": {
+ "accurate_for_datetime": "2025-11-13T00:02:27.000Z",
+ "adapter_categories": [
+ "CRM",
+ "SaaS Management"
+ ],
+ "client_used": "67fd09ddfe1c8e812a176bc3",
+ "data": {
+ "accurate_for_datetime": "2025-11-13T00:02:27.000Z",
+ "action": {
+ "name": "Login Event",
+ "timestamp": "2025-02-26T03:45:26.000Z",
+ "type": "Login Event"
+ },
+ "actor": {
+ "username": "silvana.bowman@demo.local"
+ },
+ "actor_state": {
+ "location": {
+ "country": "USA",
+ "remote_ip": "1.128.0.0"
+ },
+ "remote_ip": "1.128.0.0"
+ },
+ "application_and_account_name": "salesforce/salesforce-dev",
+ "custom_properties": {
+ "is_identity": true
+ },
+ "fetch_time": "2025-11-13T00:02:25.000Z",
+ "first_fetch_time": "2025-04-14T13:27:00.000Z",
+ "from_last_fetch": true,
+ "id": "ad4f3d8016a9d5ea2956",
+ "id_raw": "7ac7b754-9deb-4a89-a416-e0ef9fe573bd",
+ "is_fetched_from_adapter": true,
+ "last_fetch_connection_id": "67fd09ddfe1c8e812a176bc3",
+ "last_fetch_connection_label": "salesforce-dev",
+ "name": "Login Event",
+ "not_fetched_count": 0,
+ "owner": "silvana.bowman@demo.local",
+ "pretty_id": "AX-3473712580",
+ "sm_entity_type": "audit_activity",
+ "source_application": "Salesforce",
+ "tenant_number": [
+ "2"
+ ],
+ "type": "AuditActivities"
+ },
+ "initial_plugin_unique_name": "salesforce_adapter_0",
+ "plugin_name": "salesforce_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "salesforce_adapter_0",
+ "quick_id": "salesforce_adapter_0!ad4f3d8016a9d5ea2956",
+ "type": "entitydata"
+ },
+ "internal_axon_id": "cf0ca5c467254d8893ec19395ac33ab7",
+ "transform_unique_id": "5FUSygV0YP73B6Wk/1moVYiK7Pc="
+ }
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "action": "login-event",
+ "kind": "event",
+ "original": "{\"asset_type\":\"audit_activities\",\"internal_axon_id\":\"cf0ca5c467254d8893ec19395ac33ab7\",\"adapters\":[\"salesforce_adapter\"],\"adapter_list_length\":1,\"event\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:27 GMT\",\"adapter_categories\":[\"CRM\",\"SaaS Management\"],\"client_used\":\"67fd09ddfe1c8e812a176bc3\",\"data\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:27 GMT\",\"action\":{\"name\":\"Login Event\",\"timestamp\":\"Wed, 26 Feb 2025 03:45:26 GMT\",\"type\":\"Login Event\"},\"actor\":{\"username\":\"silvana.bowman@demo.local\"},\"actor_state\":{\"location\":{\"country\":\"USA\",\"remote_ip\":\"1.128.0.0\"},\"remote_ip\":\"1.128.0.0\"},\"application_and_account_name\":\"salesforce/salesforce-dev\",\"custom_properties\":{\"is_identity\":true},\"fetch_time\":\"Thu, 13 Nov 2025 00:02:25 GMT\",\"first_fetch_time\":\"Mon, 14 Apr 2025 13:27:00 GMT\",\"from_last_fetch\":true,\"id\":\"ad4f3d8016a9d5ea2956\",\"id_raw\":\"7ac7b754-9deb-4a89-a416-e0ef9fe573bd\",\"is_fetched_from_adapter\":true,\"last_fetch_connection_id\":\"67fd09ddfe1c8e812a176bc3\",\"last_fetch_connection_label\":\"salesforce-dev\",\"name\":\"Login Event\",\"not_fetched_count\":0,\"owner\":\"silvana.bowman@demo.local\",\"pretty_id\":\"AX-3473712580\",\"sm_entity_type\":\"audit_activity\",\"source_application\":\"Salesforce\",\"tenant_number\":[\"2\"],\"type\":\"AuditActivities\"},\"initial_plugin_unique_name\":\"salesforce_adapter_0\",\"plugin_name\":\"salesforce_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"salesforce_adapter_0\",\"quick_id\":\"salesforce_adapter_0!ad4f3d8016a9d5ea2956\",\"type\":\"entitydata\"}}"
+ },
+ "host": {
+ "geo": {
+ "country_name": "USA"
+ }
+ },
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ],
+ "user": [
+ "silvana.bowman@demo.local"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "name": "silvana.bowman@demo.local"
+ }
+ },
+ {
+ "@timestamp": "2025-10-05T12:09:51.000Z",
+ "axonius": {
+ "application": {
+ "adapter_list_length": 4,
+ "adapters": [
+ "axonius_catalog_adapter",
+ "axonius_discovery_adapter",
+ "axonius_discovery_adapter"
+ ],
+ "asset_type": "saas_applications",
+ "event": {
+ "accurate_for_datetime": "2025-10-05T12:09:51.000Z",
+ "action_if_exists": "update",
+ "association_type": "Tag",
+ "data": {
+ "approval_status": "Approved"
+ },
+ "entity": "saas_applications",
+ "hidden_for_gui": true,
+ "name": "static_analysis_0_SaaSApplicationApprovalStatusSchema",
+ "plugin_name": "static_analysis",
+ "plugin_unique_name": "static_analysis_0_SaaSApplicationApprovalStatusSchema",
+ "type": "adapterdata"
+ },
+ "internal_axon_id": "d091d1a7c381cc61708f62f3bf11555b",
+ "labels": [
+ "HHa - Needs review",
+ "MR",
+ "Needs Review - DT",
+ "Needs Review - JJRA",
+ "“Needs Review - ECG"
+ ],
+ "transform_unique_id": "gTwHUgIPJ50OCMfVz0xHA9IbOa4="
+ }
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "action": "update",
+ "kind": "event",
+ "original": "{\"asset_type\":\"saas_applications\",\"internal_axon_id\":\"d091d1a7c381cc61708f62f3bf11555b\",\"adapters\":[\"axonius_catalog_adapter\",\"axonius_discovery_adapter\",\"axonius_discovery_adapter\"],\"adapter_list_length\":4,\"labels\":[\"HHa - Needs review\",\"MR\",\"Needs Review - DT\",\"Needs Review - JJRA\",\"“Needs Review - ECG\"],\"event\":{\"accurate_for_datetime\":\"Sun, 05 Oct 2025 12:09:51 GMT\",\"action_if_exists\":\"update\",\"associated_adapters\":[],\"association_type\":\"Tag\",\"data\":{\"approval_status\":\"Approved\"},\"entity\":\"saas_applications\",\"hidden_for_gui\":true,\"name\":\"static_analysis_0_SaaSApplicationApprovalStatusSchema\",\"plugin_name\":\"static_analysis\",\"plugin_unique_name\":\"static_analysis_0_SaaSApplicationApprovalStatusSchema\",\"type\":\"adapterdata\"}}"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2025-11-13T00:02:31.000Z",
+ "axonius": {
+ "application": {
+ "adapter_list_length": 1,
+ "adapters": [
+ "salesforce_adapter"
+ ],
+ "asset_type": "application_settings",
+ "event": {
+ "accurate_for_datetime": "2025-11-13T00:02:31.000Z",
+ "adapter_categories": [
+ "CRM",
+ "SaaS Management"
+ ],
+ "client_used": "67fd09ddfe1c8e812a176bc3",
+ "data": {
+ "accurate_for_datetime": "2025-11-13T00:02:31.000Z",
+ "application_and_account_name": "salesforce/salesforce-dev",
+ "configuration_values": [
+ {
+ "configuration_value": "Setting is enabled",
+ "entity_remote_id": "00E8e000000BI4Kc36",
+ "is_valid": false,
+ "name": "MARYS_ROLE",
+ "raw_setting_name": "Manage Certificates",
+ "recommendation": "Disabled",
+ "role": {
+ "display_name": "MARYS_ROLE",
+ "remote_id": "00E8e000000BI4Kc36"
+ },
+ "value": "True"
+ }
+ ],
+ "fetch_time": "2025-11-13T00:02:27.000Z",
+ "first_fetch_time": "2025-04-14T13:27:02.000Z",
+ "from_last_fetch": true,
+ "id": "60b00136f2ff4d7e6c01",
+ "id_raw": "Salesforce-cf25e6fb-db83-4d44-b0be-94ff3f06a038-67fd09ddfe1c8e812a176bc3",
+ "impact": "Recommendation",
+ "is_excluded": false,
+ "is_fetched_from_adapter": true,
+ "last_fetch_connection_id": "67fd09ddfe1c8e812a176bc3",
+ "last_fetch_connection_label": "salesforce-dev",
+ "level": "Role",
+ "link": "https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home",
+ "link_path": "Select a profile > Click on 'System Permissions' > Find 'Manage Certificates'",
+ "name": "External authentication",
+ "not_fetched_count": 0,
+ "product_name": "Salesforce",
+ "raw_setting_name": "Manage Certificates",
+ "raw_setting_value": "MULTIPLE VALUES",
+ "recommendation": "Disabled",
+ "recommendation_description": "Extremely restrict \"Manage Certificates\" to very few trusted administrators. Certificates are foundational to Salesforce security; unauthorized management risks communication compromise, authentication bypass, and data integrity. Rigorous control and logging are essential, aligning with ISO 27001, NIST CSF, PCI DSS, and OWASP Top 10.",
+ "related_vendor_name": "Salesforce",
+ "setting_description": "This permission allows managing digital certificates in Salesforce, vital for secure communication, SSO, and API integrations.",
+ "setting_name": "External authentication",
+ "setting_type": "Authentication",
+ "settings_score": 0.0,
+ "settings_status": "misconfigured",
+ "sm_entity_type": "application_setting",
+ "source_application": "Salesforce",
+ "type": "ApplicationSettings",
+ "vendor_category": "Sales",
+ "vendor_setting": {
+ "_id": "cf25e6fb-db83-4d44-b0be-94ff3f06a038",
+ "is_relevant": true,
+ "lambda_name": "LM_BOOLEAN_CHECK_DISABLED",
+ "level": "Role",
+ "link": "https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home",
+ "link_path": "Select a profile > Click on 'System Permissions' > Find 'Manage Certificates'",
+ "product": "Salesforce",
+ "raw_setting_name": "Manage Certificates",
+ "raw_setting_value_type": "LM_RET_BOOL",
+ "raw_validation_rule": "lambda value: value == \"Setting is disabled\"",
+ "recommendation_reason": "Extremely restrict \"Manage Certificates\" to very few trusted administrators. Certificates are foundational to Salesforce security; unauthorized management risks communication compromise, authentication bypass, and data integrity. Rigorous control and logging are essential, aligning with ISO 27001, NIST CSF, PCI DSS, and OWASP Top 10.",
+ "scope": "Salesforce",
+ "setting_description": "This permission allows managing digital certificates in Salesforce, vital for secure communication, SSO, and API integrations.",
+ "xsetting": {
+ "_id": "d8f9d702-1692-4330-be60-dbc98106e079",
+ "impact": 0,
+ "setting_type": {
+ "name": "Authentication"
+ },
+ "xsetting_name": "External authentication"
+ }
+ }
+ },
+ "initial_plugin_unique_name": "salesforce_adapter_0",
+ "plugin_name": "salesforce_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "salesforce_adapter_0",
+ "quick_id": "salesforce_adapter_0!60b00136f2ff4d7e6c01",
+ "type": "entitydata"
+ },
+ "internal_axon_id": "b2462f7fb4d545b41ddf371763dae331",
+ "transform_unique_id": "Cf8ma+s8UqgUO09DB1gb+EXGYwk="
+ }
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "kind": "event",
+ "original": "{\"asset_type\":\"application_settings\",\"internal_axon_id\":\"b2462f7fb4d545b41ddf371763dae331\",\"adapters\":[\"salesforce_adapter\"],\"adapter_list_length\":1,\"event\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:31 GMT\",\"adapter_categories\":[\"CRM\",\"SaaS Management\"],\"client_used\":\"67fd09ddfe1c8e812a176bc3\",\"data\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:31 GMT\",\"application_and_account_name\":\"salesforce/salesforce-dev\",\"configuration_values\":[{\"configuration_value\":\"Setting is enabled\",\"entity_remote_id\":\"00E8e000000BI4Kc36\",\"is_valid\":false,\"name\":\"MARYS_ROLE\",\"raw_setting_name\":\"Manage Certificates\",\"recommendation\":\"Disabled\",\"role\":{\"display_name\":\"MARYS_ROLE\",\"remote_id\":\"00E8e000000BI4Kc36\"},\"value\":\"True\"}],\"fetch_time\":\"Thu, 13 Nov 2025 00:02:27 GMT\",\"first_fetch_time\":\"Mon, 14 Apr 2025 13:27:02 GMT\",\"from_last_fetch\":true,\"id\":\"60b00136f2ff4d7e6c01\",\"id_raw\":\"Salesforce-cf25e6fb-db83-4d44-b0be-94ff3f06a038-67fd09ddfe1c8e812a176bc3\",\"impact\":\"Recommendation\",\"is_excluded\":false,\"is_fetched_from_adapter\":true,\"last_fetch_connection_id\":\"67fd09ddfe1c8e812a176bc3\",\"last_fetch_connection_label\":\"salesforce-dev\",\"level\":\"Role\",\"link\":\"https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home\",\"link_path\":\"Select a profile > Click on 'System Permissions' > Find 'Manage Certificates'\",\"name\":\"External authentication\",\"not_fetched_count\":0,\"product_name\":\"Salesforce\",\"raw_setting_name\":\"Manage Certificates\",\"raw_setting_value\":\"MULTIPLE VALUES\",\"recommendation\":\"Disabled\",\"recommendation_description\":\"Extremely restrict \\\"Manage Certificates\\\" to very few trusted administrators. Certificates are foundational to Salesforce security; unauthorized management risks communication compromise, authentication bypass, and data integrity. Rigorous control and logging are essential, aligning with ISO 27001, NIST CSF, PCI DSS, and OWASP Top 10.\",\"related_vendor_name\":\"Salesforce\",\"setting_description\":\"This permission allows managing digital certificates in Salesforce, vital for secure communication, SSO, and API integrations.\",\"setting_name\":\"External authentication\",\"setting_type\":\"Authentication\",\"settings_score\":0,\"settings_status\":\"misconfigured\",\"sm_entity_type\":\"application_setting\",\"source_application\":\"Salesforce\",\"standards\":[],\"type\":\"ApplicationSettings\",\"vendor_category\":\"Sales\",\"vendor_setting\":{\"_id\":\"cf25e6fb-db83-4d44-b0be-94ff3f06a038\",\"exceptions\":[],\"is_relevant\":true,\"lambda_name\":\"LM_BOOLEAN_CHECK_DISABLED\",\"level\":\"Role\",\"link\":\"https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home\",\"link_path\":\"Select a profile > Click on 'System Permissions' > Find 'Manage Certificates'\",\"product\":\"Salesforce\",\"raw_setting_name\":\"Manage Certificates\",\"raw_setting_value_type\":\"LM_RET_BOOL\",\"raw_validation_rule\":\"lambda value: value == \\\"Setting is disabled\\\"\",\"recommendation_reason\":\"Extremely restrict \\\"Manage Certificates\\\" to very few trusted administrators. Certificates are foundational to Salesforce security; unauthorized management risks communication compromise, authentication bypass, and data integrity. Rigorous control and logging are essential, aligning with ISO 27001, NIST CSF, PCI DSS, and OWASP Top 10.\",\"scope\":\"Salesforce\",\"setting_description\":\"This permission allows managing digital certificates in Salesforce, vital for secure communication, SSO, and API integrations.\",\"xsetting\":{\"_id\":\"d8f9d702-1692-4330-be60-dbc98106e079\",\"impact\":0,\"setting_type\":{\"name\":\"Authentication\"},\"xsetting_name\":\"External authentication\"}}},\"initial_plugin_unique_name\":\"salesforce_adapter_0\",\"plugin_name\":\"salesforce_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"salesforce_adapter_0\",\"quick_id\":\"salesforce_adapter_0!60b00136f2ff4d7e6c01\",\"type\":\"entitydata\"}}"
+ },
+ "message": [
+ "This permission allows managing digital certificates in Salesforce, vital for secure communication, SSO, and API integrations."
+ ],
+ "rule": {
+ "description": [
+ "Setting is enabled",
+ "Extremely restrict \"Manage Certificates\" to very few trusted administrators. Certificates are foundational to Salesforce security; unauthorized management risks communication compromise, authentication bypass, and data integrity. Rigorous control and logging are essential, aligning with ISO 27001, NIST CSF, PCI DSS, and OWASP Top 10."
+ ],
+ "id": [
+ "00E8e000000BI4Kc36",
+ "cf25e6fb-db83-4d44-b0be-94ff3f06a038"
+ ],
+ "name": [
+ "Manage Certificates"
+ ],
+ "reference": "https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home",
+ "ruleset": "Role"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2025-11-13T00:03:31.000Z",
+ "axonius": {
+ "application": {
+ "adapter_list_length": 1,
+ "adapters": [
+ "google_mdm_adapter"
+ ],
+ "asset_type": "licenses",
+ "event": {
+ "accurate_for_datetime": "2025-11-13T00:03:31.000Z",
+ "adapter_categories": [
+ "IAM",
+ "MDM/EMM",
+ "SaaS Management"
+ ],
+ "client_used": "67fd09f2fe1c8e812a176bcf",
+ "data": {
+ "accurate_for_datetime": "2025-11-13T00:03:31.000Z",
+ "actual_renewal_date": "2025-10-12T02:33:56.000Z",
+ "application_and_account_name": "google workspace/google_mdm-demo",
+ "associated_users": [
+ {
+ "user_activity_status": "Active",
+ "username": "bobby.browning@demo.local"
+ }
+ ],
+ "cost": 3550.0,
+ "created": "2024-10-12T02:33:56.000Z",
+ "end_date": "2025-10-12T02:33:56.000Z",
+ "fetch_time": "2025-11-13T00:03:19.000Z",
+ "first_fetch_time": "2025-04-14T13:27:36.000Z",
+ "from_last_fetch": true,
+ "id": "319f2f6c5d26788d0233",
+ "id_raw": "javier.smith@demo.local_Google Workspace Enterprise Starter_2024-10-12 02:33:56.356025",
+ "is_active_license": true,
+ "is_active_license_from_adapter": true,
+ "is_fetched_from_adapter": true,
+ "last_fetch_connection_id": "67fd09f2fe1c8e812a176bcf",
+ "last_fetch_connection_label": "google_mdm-demo",
+ "license_estimated_monthly_cost": 295.8333333333333,
+ "license_estimated_yearly_cost": 3550.0,
+ "license_name": "Google Workspace Enterprise Starter",
+ "license_type": "Paid",
+ "name": "Google Workspace Enterprise Starter",
+ "not_fetched_count": 0,
+ "number_of_active_associated_users": 38,
+ "number_of_associated_users": 47,
+ "number_of_inactive_associated_users": 9,
+ "owner": "javier.smith@demo.local",
+ "possible_savings_of_inactive_associated_users": 225.0,
+ "pricing_unit": "User",
+ "quantity": 142,
+ "related_vendor_name": "Google Workspace",
+ "sm_entity_type": "license",
+ "source_application": "Google Workspace",
+ "start_date": "2024-10-12T02:33:56.000Z",
+ "subscription_term": "Yearly",
+ "tenant_number": [
+ "3"
+ ],
+ "type": "Licenses",
+ "unit_price": 25.0
+ },
+ "initial_plugin_unique_name": "google_mdm_adapter_0",
+ "plugin_name": "google_mdm_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "google_mdm_adapter_0",
+ "quick_id": "google_mdm_adapter_0!319f2f6c5d26788d0233",
+ "type": "entitydata"
+ },
+ "internal_axon_id": "0685616afbf903f022923548abb10f21",
+ "transform_unique_id": "PDgWrbSlbpnKum5I3yk0/u1bnL4="
+ }
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "created": "2024-10-12T02:33:56.000Z",
+ "kind": "event",
+ "original": "{\"asset_type\":\"licenses\",\"internal_axon_id\":\"0685616afbf903f022923548abb10f21\",\"adapters\":[\"google_mdm_adapter\"],\"adapter_list_length\":1,\"event\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:03:31 GMT\",\"adapter_categories\":[\"IAM\",\"MDM/EMM\",\"SaaS Management\"],\"client_used\":\"67fd09f2fe1c8e812a176bcf\",\"data\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:03:31 GMT\",\"actual_renewal_date\":\"Sun, 12 Oct 2025 02:33:56 GMT\",\"application_and_account_name\":\"google workspace/google_mdm-demo\",\"associated_users\":[{\"user_activity_status\":\"Active\",\"username\":\"bobby.browning@demo.local\"}],\"cost\":3550,\"created\":\"Sat, 12 Oct 2024 02:33:56 GMT\",\"end_date\":\"Sun, 12 Oct 2025 02:33:56 GMT\",\"fetch_time\":\"Thu, 13 Nov 2025 00:03:19 GMT\",\"first_fetch_time\":\"Mon, 14 Apr 2025 13:27:36 GMT\",\"from_last_fetch\":true,\"id\":\"319f2f6c5d26788d0233\",\"id_raw\":\"javier.smith@demo.local_Google Workspace Enterprise Starter_2024-10-12 02:33:56.356025\",\"is_active_license\":true,\"is_active_license_from_adapter\":true,\"is_fetched_from_adapter\":true,\"last_fetch_connection_id\":\"67fd09f2fe1c8e812a176bcf\",\"last_fetch_connection_label\":\"google_mdm-demo\",\"license_estimated_monthly_cost\":295.8333333333333,\"license_estimated_yearly_cost\":3550,\"license_name\":\"Google Workspace Enterprise Starter\",\"license_type\":\"Paid\",\"name\":\"Google Workspace Enterprise Starter\",\"not_fetched_count\":0,\"number_of_active_associated_users\":38,\"number_of_associated_users\":47,\"number_of_inactive_associated_users\":9,\"owner\":\"javier.smith@demo.local\",\"possible_savings_of_inactive_associated_users\":225,\"pricing_unit\":\"User\",\"quantity\":142,\"related_vendor_name\":\"Google Workspace\",\"sm_entity_type\":\"license\",\"source_application\":\"Google Workspace\",\"start_date\":\"Sat, 12 Oct 2024 02:33:56 GMT\",\"subscription_term\":\"Yearly\",\"tenant_number\":[\"3\"],\"type\":\"Licenses\",\"unit_price\":25},\"initial_plugin_unique_name\":\"google_mdm_adapter_0\",\"plugin_name\":\"google_mdm_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"google_mdm_adapter_0\",\"quick_id\":\"google_mdm_adapter_0!319f2f6c5d26788d0233\",\"type\":\"entitydata\"}}",
+ "start": "2024-10-12T02:33:56.000Z"
+ },
+ "related": {
+ "user": [
+ "javier.smith@demo.local",
+ "bobby.browning@demo.local"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2025-11-13T00:02:48.000Z",
+ "axonius": {
+ "application": {
+ "adapter_list_length": 1,
+ "adapters": [
+ "expenses_csv_adapter"
+ ],
+ "asset_type": "expenses",
+ "event": {
+ "accurate_for_datetime": "2025-11-13T00:02:48.000Z",
+ "adapter_categories": [
+ "SaaS Management"
+ ],
+ "client_used": "67fd09f23c68ed1b541bb4bb",
+ "data": {
+ "accurate_for_datetime": "2025-11-13T00:02:48.000Z",
+ "amount": 122,
+ "application_and_account_name": "csv - expenses/expenses_csv-demo",
+ "department": "Finance",
+ "fetch_time": "2025-11-13T00:02:47.000Z",
+ "first_fetch_time": "2025-04-14T13:27:23.000Z",
+ "from_last_fetch": true,
+ "id": "bc980236c772e609eee7",
+ "id_raw": "639d7122-64aa-46de-bf21-b0fb67b64f9a",
+ "is_fetched_from_adapter": true,
+ "last_fetch_connection_id": "67fd09f23c68ed1b541bb4bb",
+ "last_fetch_connection_label": "expenses_csv-demo",
+ "not_fetched_count": 0,
+ "pretty_id": "AX-1695425238",
+ "related_user": {
+ "email": "david.plummer@demo.local",
+ "remote_id": "24aa5fbc-ac92-4234-a246-04bfc6adc67c",
+ "username": "david.plummer@demo.local"
+ },
+ "related_vendor_name": "Dropbox",
+ "sm_entity_type": "expense",
+ "source_application": "CSV - Expenses",
+ "tenant_number": [
+ "2"
+ ],
+ "transaction_time": "2025-01-14T13:19:15.000Z",
+ "type": "Expenses",
+ "user_email": "david.plummer@demo.local",
+ "vendor_category": "File Sharing"
+ },
+ "initial_plugin_unique_name": "expenses_csv_adapter_0",
+ "plugin_name": "expenses_csv_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "expenses_csv_adapter_0",
+ "quick_id": "expenses_csv_adapter_0!bc980236c772e609eee7",
+ "type": "entitydata"
+ },
+ "internal_axon_id": "650e22d6e94f66e1e0e9a84f5367ef10",
+ "transform_unique_id": "ofNvee7NUR2vhcwUz/8CletYPm4="
+ }
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "kind": "event",
+ "original": "{\"asset_type\":\"expenses\",\"internal_axon_id\":\"650e22d6e94f66e1e0e9a84f5367ef10\",\"adapters\":[\"expenses_csv_adapter\"],\"adapter_list_length\":1,\"event\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:48 GMT\",\"adapter_categories\":[\"SaaS Management\"],\"client_used\":\"67fd09f23c68ed1b541bb4bb\",\"data\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:02:48 GMT\",\"amount\":122,\"application_and_account_name\":\"csv - expenses/expenses_csv-demo\",\"department\":\"Finance\",\"fetch_time\":\"Thu, 13 Nov 2025 00:02:47 GMT\",\"first_fetch_time\":\"Mon, 14 Apr 2025 13:27:23 GMT\",\"from_last_fetch\":true,\"id\":\"bc980236c772e609eee7\",\"id_raw\":\"639d7122-64aa-46de-bf21-b0fb67b64f9a\",\"is_fetched_from_adapter\":true,\"last_fetch_connection_id\":\"67fd09f23c68ed1b541bb4bb\",\"last_fetch_connection_label\":\"expenses_csv-demo\",\"not_fetched_count\":0,\"pretty_id\":\"AX-1695425238\",\"related_user\":{\"email\":\"david.plummer@demo.local\",\"full_name\":{},\"remote_id\":\"24aa5fbc-ac92-4234-a246-04bfc6adc67c\",\"username\":\"david.plummer@demo.local\"},\"related_vendor_name\":\"Dropbox\",\"sm_entity_type\":\"expense\",\"source_application\":\"CSV - Expenses\",\"tenant_number\":[\"2\"],\"transaction_time\":\"Tue, 14 Jan 2025 13:19:15 GMT\",\"type\":\"Expenses\",\"user_email\":\"david.plummer@demo.local\",\"vendor_category\":\"File Sharing\"},\"initial_plugin_unique_name\":\"expenses_csv_adapter_0\",\"plugin_name\":\"expenses_csv_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"expenses_csv_adapter_0\",\"quick_id\":\"expenses_csv_adapter_0!bc980236c772e609eee7\",\"type\":\"entitydata\"}}",
+ "start": "2025-01-14T13:19:15.000Z"
+ },
+ "related": {
+ "user": [
+ "david.plummer@demo.local",
+ "24aa5fbc-ac92-4234-a246-04bfc6adc67c"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "demo.local",
+ "email": "david.plummer@demo.local",
+ "id": "24aa5fbc-ac92-4234-a246-04bfc6adc67c",
+ "name": "david.plummer@demo.local"
+ }
+ },
+ {
+ "@timestamp": "2025-11-13T00:10:22.000Z",
+ "axonius": {
+ "application": {
+ "_id": "oracle:mysql",
+ "adapters": [
+ "axonius_catalog_adapter",
+ "chef_adapter",
+ "counter_act_adapter",
+ "tenable_security_center_adapter"
+ ],
+ "asset_type": "software",
+ "event": {
+ "accurate_for_datetime": "2025-11-13T00:10:22.000Z",
+ "client_used": "Internal",
+ "data": {
+ "accurate_for_datetime": "2025-11-13T00:10:22.000Z",
+ "categories": [
+ "Data Base Management"
+ ],
+ "first_seen": "2025-04-14T13:36:12.000Z",
+ "id": "oracle:mysql",
+ "installed_software": [
+ {
+ "end_of_support": "2025-04-30T00:00:00.000Z",
+ "has_reached_end_of_support": true,
+ "name": "MySQL",
+ "vendor": "Oracle Corporation",
+ "vendor_publisher": [
+ "Oracle Corporation"
+ ],
+ "version": "8.0.41"
+ }
+ ],
+ "sub_category": [
+ "SQL Databases"
+ ]
+ },
+ "initial_plugin_unique_name": "axonius_catalog_adapter",
+ "plugin_name": "axonius_catalog_adapter",
+ "plugin_type": "Internal",
+ "plugin_unique_name": "axonius_catalog_adapter",
+ "quick_id": "axonius_catalog_adapter!oracle:mysql",
+ "type": "entitydata"
+ },
+ "internal_axon_id": "719c5be77e2cda2f0257833ab6e810f9",
+ "transform_unique_id": "e3JqkbTJCeRM/DaKlAvmQ+FFnBw="
+ }
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "kind": "event",
+ "original": "{\"asset_type\":\"software\",\"internal_axon_id\":\"719c5be77e2cda2f0257833ab6e810f9\",\"adapters\":[\"axonius_catalog_adapter\",\"chef_adapter\",\"counter_act_adapter\",\"tenable_security_center_adapter\"],\"_id\":\"oracle:mysql\",\"event\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:10:22 GMT\",\"client_used\":\"Internal\",\"data\":{\"accurate_for_datetime\":\"Thu, 13 Nov 2025 00:10:22 GMT\",\"categories\":[\"Data Base Management\"],\"first_seen\":\"Mon, 14 Apr 2025 13:36:12 GMT\",\"id\":\"oracle:mysql\",\"installed_software\":[{\"end_of_support\":\"Wed, 30 Apr 2025 00:00:00 GMT\",\"has_reached_end_of_support\":true,\"name\":\"MySQL\",\"vendor\":\"Oracle Corporation\",\"vendor_publisher\":[\"Oracle Corporation\"],\"version\":\"8.0.41\"}],\"sub_category\":[\"SQL Databases\"]},\"initial_plugin_unique_name\":\"axonius_catalog_adapter\",\"plugin_name\":\"axonius_catalog_adapter\",\"plugin_type\":\"Internal\",\"plugin_unique_name\":\"axonius_catalog_adapter\",\"quick_id\":\"axonius_catalog_adapter!oracle:mysql\",\"type\":\"entitydata\"}}"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ }
+ ]
+}
diff --git a/packages/axonius/data_stream/application/_dev/test/pipeline/test-common-config.yml b/packages/axonius/data_stream/application/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..be41bb0d476
--- /dev/null
+++ b/packages/axonius/data_stream/application/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,4 @@
+fields:
+ tags:
+ - preserve_original_event
+ - preserve_duplicate_custom_fields
diff --git a/packages/axonius/data_stream/application/_dev/test/system/test-default-config.yml b/packages/axonius/data_stream/application/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..40c07673cfb
--- /dev/null
+++ b/packages/axonius/data_stream/application/_dev/test/system/test-default-config.yml
@@ -0,0 +1,13 @@
+input: cel
+service: axonius
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ api_key: xxxx
+ secret_key: xxxx
+data_stream:
+ vars:
+ preserve_original_event: true
+ preserve_duplicate_custom_fields: true
+ batch_size: 2
+assert:
+ hit_count: 5
diff --git a/packages/axonius/data_stream/application/agent/stream/cel.yml.hbs b/packages/axonius/data_stream/application/agent/stream/cel.yml.hbs
new file mode 100644
index 00000000000..53ef121d8bd
--- /dev/null
+++ b/packages/axonius/data_stream/application/agent/stream/cel.yml.hbs
@@ -0,0 +1,140 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+ enabled: {{enable_request_tracer}}
+ filename: "../../logs/cel/http-request-trace-*.ndjson"
+ maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+resource.url: {{url}}
+
+state:
+ api_key: {{api_key}}
+ secret_key: {{secret_key}}
+ batch_size: {{batch_size}}
+ asset_type_list:
+ - software
+ - saas_applications
+ - application_settings
+ - licenses
+ - expenses
+ - admin_managed_extensions
+ - user_initiated_extensions
+ - application_addons
+ - admin_managed_extension_instances
+ - user_initiated_extension_instances
+ - application_addon_instances
+ - application_keys
+ - audit_activities
+ - business_applications
+ - urls
+ - application_services
+ - application_resources
+ - secrets
+
+redact:
+ fields:
+ - api_key
+ - secret_key
+program: |
+ (
+ state.?worklist.asset_type_list[0].hasValue() ?
+ state
+ :
+ state.drop("worklist").with(
+ {
+ "worklist": {
+ "asset_type_list": state.asset_type_list,
+ }
+ }
+ )
+ ).as(state, state.with(
+ request(
+ "POST",
+ state.url.trim_right("/") + "/api/v2/assets/" + string(state.worklist.asset_type_list[0])
+ ).with(
+ {
+ "Header": {
+ "Content-Type": ["application/json"],
+ "api-key": [state.api_key],
+ "api-secret": [state.secret_key],
+ },
+ "Body": {
+ "include_metadata": true,
+ "page": {
+ "limit": state.batch_size,
+ },
+ ?"next_page": state.?worklist.?next_page,
+ "fields": ["specific_data"],
+ "use_cache_entry": false,
+ "include_details": false,
+ }.encode_json(),
+ }
+ ).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body,
+ {
+ "events": (has(body.assets) && size(body.assets) > 0 ?
+ body.assets.map(assets,
+ assets.specific_data.map(d,{
+ "message":{
+ ?"internal_axon_id": assets.?internal_axon_id,
+ ?"adapters": assets.?adapters,
+ ?"adapter_list_length": assets.?adapter_list_length,
+ ?"labels": assets.?labels,
+ "asset_type": string(state.worklist.asset_type_list[0]),
+ "event": d
+ }.encode_json(),
+ })
+ ).flatten()
+ :
+ [{"message":"empty_data"}]
+ ),
+ "worklist": {
+ "asset_type_list": (has(body.meta.page.number) && has(body.meta.page.totalPages) &&
+ int(body.meta.page.number) < int(body.meta.page.totalPages)) ? state.worklist.asset_type_list : tail(state.worklist.asset_type_list),
+ "next_page": (has(body.meta.page.number) && has(body.meta.page.totalPages) &&
+ int(body.meta.page.number) < int(body.meta.page.totalPages)) ? (body.?meta.?next_page) : null,
+ },
+ "want_more": (has(body.meta.page.number) && has(body.meta.page.totalPages) &&
+ int(body.meta.page.number) < int(body.meta.page.totalPages) || size(state.worklist.asset_type_list) > 1),
+ }
+ )
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "POST:" + state.url.trim_right("/") + "/api/v2/assets/ " + string(state.worklist.asset_type_list[0]) + (
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + " (" + string(resp.StatusCode) + ")"
+ ),
+ },
+ },
+ "want_more": false,
+ }
+ )
+ ))
+tags:
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/axonius/data_stream/application/elasticsearch/ilm/default_policy.json b/packages/axonius/data_stream/application/elasticsearch/ilm/default_policy.json
new file mode 100644
index 00000000000..a2258ec38f8
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ilm/default_policy.json
@@ -0,0 +1,23 @@
+{
+ "policy": {
+ "phases": {
+ "hot": {
+ "actions": {
+ "rollover": {
+ "max_age": "2d",
+ "max_size": "50gb"
+ },
+ "set_priority": {
+ "priority": 100
+ }
+ }
+ },
+ "delete": {
+ "min_age": "30d",
+ "actions": {
+ "delete": {}
+ }
+ }
+ }
+ }
+}
diff --git a/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..8ce4db9fe43
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1553 @@
+---
+description: Pipeline for processing application logs.
+processors:
+ - set:
+ field: ecs.version
+ tag: set_ecs_version
+ value: 9.2.0
+ - terminate:
+ description: error message set and no data to process.
+ tag: terminate_data_collection_error
+ if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+ - drop:
+ if: ctx.message == 'empty_data'
+ tag: drop_empty_data_events
+
+ # remove agentless metadata
+ - remove:
+ description: Removes the fields added by Agentless as metadata, as they can collide with ECS fields.
+ tag: remove_agentless_tags
+ if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+ field:
+ - organization
+ - division
+ - team
+ ignore_missing: true
+
+ - rename:
+ field: message
+ tag: rename_message_to_event_original
+ target_field: event.original
+ ignore_missing: true
+ description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+ if: ctx.event?.original == null
+ - remove:
+ field: message
+ tag: remove_message
+ ignore_missing: true
+ description: The `message` field is no longer required if the document has an `event.original` field.
+ if: ctx.event?.original != null
+ - json:
+ field: event.original
+ tag: json_event_original
+ target_field: json
+ - fingerprint:
+ fields:
+ - event.original
+ tag: fingerprint_event_original
+ target_field: axonius.application.transform_unique_id
+ ignore_missing: true
+ - set:
+ tag: set_event_kind
+ field: event.kind
+ value: event
+
+ - convert:
+ field: json.adapter_list_length
+ tag: convert_adapter_list_length_to_long
+ target_field: axonius.application.adapter_list_length
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.adapters
+ tag: rename_adapters
+ target_field: axonius.application.adapters
+ ignore_missing: true
+ - rename:
+ field: json.asset_type
+ tag: rename_asset_type
+ target_field: axonius.application.asset_type
+ ignore_missing: true
+ - date:
+ field: json.event.accurate_for_datetime
+ tag: date_event_accurate_for_datetime
+ target_field: axonius.application.event.accurate_for_datetime
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.accurate_for_datetime != null && ctx.json.event.accurate_for_datetime != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: '@timestamp'
+ tag: set_@timestamp_from_application_event_accurate_for_datetime
+ copy_from: axonius.application.event.accurate_for_datetime
+ ignore_empty_value: true
+ - rename:
+ field: json.event.action_if_exists
+ tag: rename_event_action_if_exists
+ target_field: axonius.application.event.action_if_exists
+ ignore_missing: true
+ - set:
+ field: event.action
+ tag: set_event_action_from_application_event_action_if_exists
+ copy_from: axonius.application.event.action_if_exists
+ ignore_empty_value: true
+ - lowercase:
+ field: event.action
+ tag: lowercase_event_action
+ ignore_missing: true
+ - rename:
+ field: json.event.adapter_categories
+ tag: rename_event_adapter_categories
+ target_field: axonius.application.event.adapter_categories
+ ignore_missing: true
+ - rename:
+ field: json.event.associated_adapter_plugin_name
+ tag: rename_event_associated_adapter_plugin_name
+ target_field: axonius.application.event.associated_adapter_plugin_name
+ ignore_missing: true
+ - rename:
+ field: json.event.association_type
+ tag: rename_event_association_type
+ target_field: axonius.application.event.association_type
+ ignore_missing: true
+ - rename:
+ field: json.event.client_used
+ tag: rename_event_client_used
+ target_field: axonius.application.event.client_used
+ ignore_missing: true
+ - date:
+ field: json.event.data.accurate_for_datetime
+ tag: date_event_data_accurate_for_datetime
+ target_field: axonius.application.event.data.accurate_for_datetime
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.accurate_for_datetime != null && ctx.json.event.data.accurate_for_datetime != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.activity_status
+ tag: rename_event_data_activity_status
+ target_field: axonius.application.event.data.activity_status
+ ignore_missing: true
+ - convert:
+ field: json.event.data.activity_status_active
+ tag: convert_event_data_activity_status_active_to_long
+ target_field: axonius.application.event.data.activity_status_active
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.activity_status_active_hyperlink
+ tag: foreach_event_data_activity_status_active_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.activity_status_active_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_activity_status_active_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.activity_status_active_hyperlink
+ tag: foreach_event_data_activity_status_active_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.activity_status_active_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_activity_status_active_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.activity_status_active_hyperlink
+ tag: foreach_event_data_activity_status_active_hyperlink_not
+ if: ctx.json?.event?.data?.activity_status_active_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_activity_status_active_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.activity_status_active_hyperlink
+ tag: foreach_event_data_activity_status_active_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.activity_status_active_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_activity_status_active_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.activity_status_active_hyperlink
+ tag: rename_event_data_activity_status_active_hyperlink
+ target_field: axonius.application.event.data.activity_status_active_hyperlink
+ ignore_missing: true
+ - convert:
+ field: json.event.data.activity_status_inactive
+ tag: convert_event_data_activity_status_inactive_to_long
+ target_field: axonius.application.event.data.activity_status_inactive
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.activity_status_inactive_hyperlink
+ tag: foreach_event_data_activity_status_inactive_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.activity_status_inactive_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_activity_status_inactive_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.activity_status_inactive_hyperlink
+ tag: foreach_event_data_activity_status_inactive_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.activity_status_inactive_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_activity_status_inactive_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.activity_status_inactive_hyperlink
+ tag: foreach_event_data_activity_status_inactive_hyperlink_not
+ if: ctx.json?.event?.data?.activity_status_inactive_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_activity_status_inactive_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.activity_status_inactive_hyperlink
+ tag: foreach_event_data_activity_status_inactive_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.activity_status_inactive_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_activity_status_inactive_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.activity_status_inactive_hyperlink
+ tag: rename_event_data_activity_status_inactive_hyperlink
+ target_field: axonius.application.event.data.activity_status_inactive_hyperlink
+ ignore_missing: true
+ - rename:
+ field: json.event.data.app_id
+ tag: rename_event_data_app_id
+ target_field: axonius.application.event.data.app_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.application_and_account_name
+ tag: rename_event_data_application_and_account_name
+ target_field: axonius.application.event.data.application_and_account_name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.application_resource_id
+ tag: rename_event_data_application_resource_id
+ target_field: axonius.application.event.data.application_resource_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.application_resource_type
+ tag: rename_event_data_application_resource_type
+ target_field: axonius.application.event.data.application_resource_type
+ ignore_missing: true
+ - rename:
+ field: json.event.data.approval_status
+ tag: rename_event_data_approval_status
+ target_field: axonius.application.event.data.approval_status
+ ignore_missing: true
+ - rename:
+ field: json.event.data.association_scope
+ tag: rename_event_data_association_scope
+ target_field: axonius.application.event.data.association_scope
+ ignore_missing: true
+ - rename:
+ field: json.event.data.auth_type
+ tag: rename_event_data_auth_type
+ target_field: axonius.application.event.data.auth_type
+ ignore_missing: true
+ - date:
+ field: json.event.data.created
+ tag: date_event_data_created
+ target_field: axonius.application.event.data.created
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.created != null && ctx.json.event.data.created != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.created
+ tag: set_event_created_from_application_event_data_created
+ copy_from: axonius.application.event.data.created
+ ignore_empty_value: true
+ - rename:
+ field: json.event.data.department
+ tag: rename_event_data_department
+ target_field: axonius.application.event.data.department
+ ignore_missing: true
+ - convert:
+ field: json.event.data.excessive_read
+ tag: convert_event_data_excessive_read_to_long
+ target_field: axonius.application.event.data.excessive_read
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.excessive_read_link
+ tag: foreach_event_data_excessive_read_link_bracketWeight
+ if: ctx.json?.event?.data?.excessive_read_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_excessive_read_link_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.excessive_read_link
+ tag: foreach_event_data_excessive_read_link_leftBracket
+ if: ctx.json?.event?.data?.excessive_read_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_excessive_read_link_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.excessive_read_link
+ tag: foreach_event_data_excessive_read_link_not
+ if: ctx.json?.event?.data?.excessive_read_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_excessive_read_link_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.excessive_read_link
+ tag: foreach_event_data_excessive_read_link_rightBracket
+ if: ctx.json?.event?.data?.excessive_read_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_excessive_read_link_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.excessive_read_link
+ tag: rename_event_data_excessive_read_link
+ target_field: axonius.application.event.data.excessive_read_link
+ ignore_missing: true
+ - convert:
+ field: json.event.data.excessive_write
+ tag: convert_event_data_excessive_write_to_long
+ target_field: axonius.application.event.data.excessive_write
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.excessive_write_link
+ tag: foreach_event_data_excessive_write_link_bracketWeight
+ if: ctx.json?.event?.data?.excessive_write_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_excessive_write_link_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.excessive_write_link
+ tag: foreach_event_data_excessive_write_link_leftBracket
+ if: ctx.json?.event?.data?.excessive_write_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_excessive_write_link_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.excessive_write_link
+ tag: foreach_event_data_excessive_write_link_not
+ if: ctx.json?.event?.data?.excessive_write_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_excessive_write_link_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.excessive_write_link
+ tag: foreach_event_data_excessive_write_link_rightBracket
+ if: ctx.json?.event?.data?.excessive_write_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_excessive_write_link_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.excessive_write_link
+ tag: rename_event_data_excessive_write_link
+ target_field: axonius.application.event.data.excessive_write_link
+ ignore_missing: true
+ - rename:
+ field: json.event.data.extension_type
+ tag: rename_event_data_extension_type
+ target_field: axonius.application.event.data.extension_type
+ ignore_missing: true
+ - date:
+ field: json.event.data.fetch_time
+ tag: date_event_data_fetch_time
+ target_field: axonius.application.event.data.fetch_time
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.fetch_time != null && ctx.json.event.data.fetch_time != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.event.data.first_fetch_time
+ tag: date_event_data_first_fetch_time
+ target_field: axonius.application.event.data.first_fetch_time
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.first_fetch_time != null && ctx.json.event.data.first_fetch_time != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.event.data.first_seen
+ tag: date_event_data_first_seen
+ target_field: axonius.application.event.data.first_seen
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.first_seen != null && ctx.json.event.data.first_seen != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.from_last_fetch
+ tag: convert_event_data_from_last_fetch_to_boolean
+ target_field: axonius.application.event.data.from_last_fetch
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.grant_types
+ tag: rename_event_data_grant_types
+ target_field: axonius.application.event.data.grant_types
+ ignore_missing: true
+ - rename:
+ field: json.event.data.id
+ tag: rename_event_data_id
+ target_field: axonius.application.event.data.id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.id_raw
+ tag: rename_event_data_id_raw
+ target_field: axonius.application.event.data.id_raw
+ ignore_missing: true
+ - rename:
+ field: json.event.data.integration_type
+ tag: rename_event_data_integration_type
+ target_field: axonius.application.event.data.integration_type
+ ignore_missing: true
+ - convert:
+ field: json.event.data.is_admin
+ tag: convert_event_data_is_admin_to_long
+ target_field: axonius.application.event.data.is_admin
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.is_admin_hyperlink
+ tag: foreach_event_data_is_admin_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.is_admin_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_is_admin_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.is_admin_hyperlink
+ tag: foreach_event_data_is_admin_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.is_admin_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_is_admin_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.is_admin_hyperlink
+ tag: foreach_event_data_is_admin_hyperlink_not
+ if: ctx.json?.event?.data?.is_admin_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_is_admin_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.is_admin_hyperlink
+ tag: foreach_event_data_is_admin_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.is_admin_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_is_admin_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.is_admin_hyperlink
+ tag: rename_event_data_is_admin_hyperlink
+ target_field: axonius.application.event.data.is_admin_hyperlink
+ ignore_missing: true
+ - convert:
+ field: json.event.data.is_fetched_from_adapter
+ tag: convert_event_data_is_fetched_from_adapter_to_boolean
+ target_field: axonius.application.event.data.is_fetched_from_adapter
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_identity
+ tag: convert_event_data_is_identity_to_long
+ target_field: axonius.application.event.data.is_identity
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.is_identity_hyperlink
+ tag: foreach_event_data_is_identity_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.is_identity_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_is_identity_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.is_identity_hyperlink
+ tag: foreach_event_data_is_identity_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.is_identity_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_is_identity_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.is_identity_hyperlink
+ tag: foreach_event_data_is_identity_hyperlink_not
+ if: ctx.json?.event?.data?.is_identity_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_is_identity_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.is_identity_hyperlink
+ tag: foreach_event_data_is_identity_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.is_identity_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_is_identity_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.is_identity_hyperlink
+ tag: rename_event_data_is_identity_hyperlink
+ target_field: axonius.application.event.data.is_identity_hyperlink
+ ignore_missing: true
+ - convert:
+ field: json.event.data.is_operational
+ tag: convert_event_data_is_operational_to_boolean
+ target_field: axonius.application.event.data.is_operational
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.event.data.last_access
+ tag: date_event_data_last_access
+ target_field: axonius.application.event.data.last_access
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.last_access != null && ctx.json.event.data.last_access != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.last_fetch_connection_id
+ tag: rename_event_data_last_fetch_connection_id
+ target_field: axonius.application.event.data.last_fetch_connection_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.last_fetch_connection_label
+ tag: rename_event_data_last_fetch_connection_label
+ target_field: axonius.application.event.data.last_fetch_connection_label
+ ignore_missing: true
+ - date:
+ field: json.event.data.last_seen
+ tag: date_event_data_last_seen
+ target_field: axonius.application.event.data.last_seen
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.last_seen != null && ctx.json.event.data.last_seen != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.event.data.last_used
+ tag: date_event_data_last_used
+ target_field: axonius.application.event.data.last_used
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.last_used != null && ctx.json.event.data.last_used != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.name
+ tag: rename_event_data_name
+ target_field: axonius.application.event.data.name
+ ignore_missing: true
+ - convert:
+ field: json.event.data.never_accessed
+ tag: convert_event_data_never_accessed_to_boolean
+ target_field: axonius.application.event.data.never_accessed
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.not_fetched_count
+ tag: convert_event_data_not_fetched_count_to_long
+ target_field: axonius.application.event.data.not_fetched_count
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.owner
+ tag: rename_event_data_owner
+ target_field: axonius.application.event.data.owner
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_owner_into_related_user
+ value: '{{{axonius.application.event.data.owner}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.owner != null
+ - rename:
+ field: json.event.data.permissions.alias
+ tag: rename_event_data_permissions_alias
+ target_field: axonius.application.event.data.permissions.alias
+ ignore_missing: true
+ - rename:
+ field: json.event.data.permissions.hash_id
+ tag: rename_event_data_permissions_hash_id
+ target_field: axonius.application.event.data.permissions.hash_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.permissions.is_admin
+ tag: convert_event_data_permissions_is_admin_to_boolean
+ target_field: axonius.application.event.data.permissions.is_admin
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.permissions.name
+ tag: rename_event_data_permissions_name
+ target_field: axonius.application.event.data.permissions.name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.permissions.scope_tag
+ tag: rename_event_data_permissions_scope_tag
+ target_field: axonius.application.event.data.permissions.scope_tag
+ ignore_missing: true
+ - convert:
+ field: json.event.data.permissions.users_amount
+ tag: convert_event_data_permissions_users_amount_to_long
+ target_field: axonius.application.event.data.permissions.users_amount
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.pretty_id
+ tag: rename_event_data_pretty_id
+ target_field: axonius.application.event.data.pretty_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.redirect_uris
+ tag: rename_event_data_redirect_uris
+ target_field: axonius.application.event.data.redirect_uris
+ ignore_missing: true
+ - rename:
+ field: json.event.data.related_vendor_name
+ tag: rename_event_data_related_vendor_name
+ target_field: axonius.application.event.data.related_vendor_name
+ ignore_missing: true
+ - convert:
+ field: json.event.data.scope_tag_calendar
+ tag: convert_event_data_scope_tag_calendar_to_long
+ target_field: axonius.application.event.data.scope_tag_calendar
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_calendar_hyperlink
+ tag: foreach_event_data_scope_tag_calendar_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.scope_tag_calendar_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_scope_tag_calendar_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_calendar_hyperlink
+ tag: foreach_event_data_scope_tag_calendar_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.scope_tag_calendar_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_scope_tag_calendar_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_calendar_hyperlink
+ tag: foreach_event_data_scope_tag_calendar_hyperlink_not
+ if: ctx.json?.event?.data?.scope_tag_calendar_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_scope_tag_calendar_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_calendar_hyperlink
+ tag: foreach_event_data_scope_tag_calendar_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.scope_tag_calendar_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_scope_tag_calendar_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.scope_tag_calendar_hyperlink
+ tag: rename_event_data_scope_tag_calendar_hyperlink
+ target_field: axonius.application.event.data.scope_tag_calendar_hyperlink
+ ignore_missing: true
+ - convert:
+ field: json.event.data.scope_tag_drive
+ tag: convert_event_data_scope_tag_drive_to_long
+ target_field: axonius.application.event.data.scope_tag_drive
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_drive_hyperlink
+ tag: foreach_event_data_scope_tag_drive_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.scope_tag_drive_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_scope_tag_drive_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_drive_hyperlink
+ tag: foreach_event_data_scope_tag_drive_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.scope_tag_drive_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_scope_tag_drive_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_drive_hyperlink
+ tag: foreach_event_data_scope_tag_drive_hyperlink_not
+ if: ctx.json?.event?.data?.scope_tag_drive_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_scope_tag_drive_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_drive_hyperlink
+ tag: foreach_event_data_scope_tag_drive_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.scope_tag_drive_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_scope_tag_drive_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.scope_tag_drive_hyperlink
+ tag: rename_event_data_scope_tag_drive_hyperlink
+ target_field: axonius.application.event.data.scope_tag_drive_hyperlink
+ ignore_missing: true
+ - convert:
+ field: json.event.data.scope_tag_mail
+ tag: convert_event_data_scope_tag_mail_to_long
+ target_field: axonius.application.event.data.scope_tag_mail
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_mail_hyperlink
+ tag: foreach_event_data_scope_tag_mail_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.scope_tag_mail_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_scope_tag_mail_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_mail_hyperlink
+ tag: foreach_event_data_scope_tag_mail_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.scope_tag_mail_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_scope_tag_mail_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_mail_hyperlink
+ tag: foreach_event_data_scope_tag_mail_hyperlink_not
+ if: ctx.json?.event?.data?.scope_tag_mail_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_scope_tag_mail_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.scope_tag_mail_hyperlink
+ tag: foreach_event_data_scope_tag_mail_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.scope_tag_mail_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_scope_tag_mail_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.scope_tag_mail_hyperlink
+ tag: rename_event_data_scope_tag_mail_hyperlink
+ target_field: axonius.application.event.data.scope_tag_mail_hyperlink
+ ignore_missing: true
+ - rename:
+ field: json.event.data.sm_entity_type
+ tag: rename_event_data_sm_entity_type
+ target_field: axonius.application.event.data.sm_entity_type
+ ignore_missing: true
+ - rename:
+ field: json.event.data.source_application
+ tag: rename_event_data_source_application
+ target_field: axonius.application.event.data.source_application
+ ignore_missing: true
+ - rename:
+ field: json.event.data.tenant_number
+ tag: rename_event_data_tenant_number
+ target_field: axonius.application.event.data.tenant_number
+ ignore_missing: true
+ - rename:
+ field: json.event.data.type
+ tag: rename_event_data_type
+ target_field: axonius.application.event.data.type
+ ignore_missing: true
+ - rename:
+ field: json.event.data.urls
+ tag: rename_event_data_urls
+ target_field: axonius.application.event.data.urls
+ ignore_missing: true
+ - rename:
+ field: json.event.data.user_account.email
+ tag: rename_event_data_user_account_email
+ target_field: axonius.application.event.data.user_account.email
+ ignore_missing: true
+ - set:
+ field: user.email
+ tag: set_user_email_from_application_event_data_user_account_email
+ copy_from: axonius.application.event.data.user_account.email
+ ignore_empty_value: true
+ - dissect:
+ tag: dissect_user_email
+ if: ctx.user?.email != null && ctx.user.email.contains('@')
+ field: user.email
+ pattern: '%{}@%{user.domain}'
+ - append:
+ field: related.user
+ tag: append_application_event_data_user_account_email_into_related_user
+ value: '{{{axonius.application.event.data.user_account.email}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.user_account?.email != null
+ - rename:
+ field: json.event.data.user_account.remote_id
+ tag: rename_event_data_user_account_remote_id
+ target_field: axonius.application.event.data.user_account.remote_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.user_account.username
+ tag: rename_event_data_user_account_username
+ target_field: axonius.application.event.data.user_account.username
+ ignore_missing: true
+ - set:
+ field: user.name
+ tag: set_user_name_from_application_event_data_user_account_username
+ copy_from: axonius.application.event.data.user_account.username
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_user_account_username_into_related_user
+ value: '{{{axonius.application.event.data.user_account.username}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.user_account?.username != null
+ - convert:
+ field: json.event.data.user_count
+ tag: convert_event_data_user_count_to_long
+ target_field: axonius.application.event.data.user_count
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.user_count_link
+ tag: foreach_event_data_user_count_link_bracketWeight
+ if: ctx.json?.event?.data?.user_count_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_user_count_link_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.user_count_link
+ tag: foreach_event_data_user_count_link_leftBracket
+ if: ctx.json?.event?.data?.user_count_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_user_count_link_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.user_count_link
+ tag: foreach_event_data_user_count_link_not
+ if: ctx.json?.event?.data?.user_count_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_user_count_link_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.user_count_link
+ tag: foreach_event_data_user_count_link_rightBracket
+ if: ctx.json?.event?.data?.user_count_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_user_count_link_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.user_count_link
+ tag: foreach_event_data_user_count_link_value
+ if: ctx.json?.event?.data?.user_count_link instanceof List
+ processor:
+ append:
+ field: related.user
+ tag: append_event_data_user_count_link_value_into_related_user
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - rename:
+ field: json.event.data.user_count_link
+ tag: rename_event_data_user_count_link
+ target_field: axonius.application.event.data.user_count_link
+ ignore_missing: true
+ - rename:
+ field: json.event.data.username_formats
+ tag: rename_event_data_username_formats
+ target_field: axonius.application.event.data.username_formats
+ ignore_missing: true
+ - convert:
+ field: json.event.data.users_amount
+ tag: convert_event_data_users_amount_to_long
+ target_field: axonius.application.event.data.users_amount
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.vendor_category
+ tag: rename_event_data_vendor_category
+ target_field: axonius.application.event.data.vendor_category
+ ignore_missing: true
+ - rename:
+ field: json.event.entity
+ tag: rename_event_entity
+ target_field: axonius.application.event.entity
+ ignore_missing: true
+ - convert:
+ field: json.event.hidden_for_gui
+ tag: convert_event_hidden_for_gui_to_boolean
+ target_field: axonius.application.event.hidden_for_gui
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.initial_plugin_unique_name
+ tag: rename_event_initial_plugin_unique_name
+ target_field: axonius.application.event.initial_plugin_unique_name
+ ignore_missing: true
+ - rename:
+ field: json.event.name
+ tag: rename_event_name
+ target_field: axonius.application.event.name
+ ignore_missing: true
+ - rename:
+ field: json.event.plugin_name
+ tag: rename_event_plugin_name
+ target_field: axonius.application.event.plugin_name
+ ignore_missing: true
+ - rename:
+ field: json.event.plugin_type
+ tag: rename_event_plugin_type
+ target_field: axonius.application.event.plugin_type
+ ignore_missing: true
+ - rename:
+ field: json.event.plugin_unique_name
+ tag: rename_event_plugin_unique_name
+ target_field: axonius.application.event.plugin_unique_name
+ ignore_missing: true
+ - rename:
+ field: json.event.quick_id
+ tag: rename_event_quick_id
+ target_field: axonius.application.event.quick_id
+ ignore_missing: true
+ - rename:
+ field: json.event.type
+ tag: rename_event_type
+ target_field: axonius.application.event.type
+ ignore_missing: true
+ - rename:
+ field: json.internal_axon_id
+ tag: rename_internal_axon_id
+ target_field: axonius.application.internal_axon_id
+ ignore_missing: true
+ - rename:
+ field: json.labels
+ tag: rename_labels
+ target_field: axonius.application.labels
+ ignore_missing: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_application_settings" }}'
+ tag: pipeline_application_settings
+ if: >-
+ ctx.axonius?.application?.asset_type.contains('application_settings')
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_audit_activities" }}'
+ tag: pipeline_audit_activities
+ if: >-
+ ctx.axonius?.application?.asset_type.contains('audit_activities')
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_business_applications" }}'
+ tag: pipeline_business_applications
+ if: >-
+ ctx.axonius?.application?.asset_type.contains('business_applications')
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_expenses" }}'
+ tag: pipeline_expenses
+ if: >-
+ ctx.axonius?.application?.asset_type.contains('expenses')
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_licenses" }}'
+ tag: pipeline_licenses
+ if: >-
+ ctx.axonius?.application?.asset_type.contains('licenses')
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_saas_applications" }}'
+ tag: pipeline_saas_applications
+ if: >-
+ ctx.axonius?.application?.asset_type.contains('saas_applications')
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_software" }}'
+ tag: pipeline_software
+ if: >-
+ ctx.axonius?.application?.asset_type.contains('software')
+ - foreach:
+ field: axonius.application.event.data.configuration_values
+ tag: foreach_axonius_application_event_data_configuration_values_/
+ if: ctx.axonius?.application?.event?.data?.configuration_values instanceof List
+ processor:
+ remove:
+ field:
+ - _ingest._value.configuration_value
+ - _ingest._value.role.remote_id
+ tag: remove_custom_duplicate_fields_from_axonius_application_event_data_configuration_values
+ ignore_missing: true
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ - remove:
+ field:
+ - axonius.application.event.accurate_for_datetime
+ - axonius.application.event.action_if_exists
+ - axonius.application.event.data.created
+ - axonius.application.event.data.user_account.email
+ - axonius.application.event.data.user_account.username
+ - axonius.application.event.data.raw_setting_name
+ - axonius.application.event.data.recommendation_description
+ - axonius.application.event.data.setting_description
+ - axonius.application.event.data.vendor_setting._id
+ - axonius.application.event.data.vendor_setting.level
+ - axonius.application.event.data.vendor_setting.link
+ - axonius.application.event.data.vendor_setting.raw_setting_name
+ - axonius.application.event.data.vendor_setting.recommendation_reason
+ - axonius.application.event.data.application_type
+ - axonius.application.event.data.related_user.remote_id
+ - axonius.application.event.data.related_user.username
+ - axonius.application.event.data.transaction_time
+ - axonius.application.event.data.user_email
+ - axonius.application.event.data.start_date
+ - axonius.application.event.data.description
+ - axonius.application.event.data.action.name
+ - axonius.application.event.data.actor.username
+ - axonius.application.event.data.actor_state.location.country
+ tag: remove_custom_duplicate_fields
+ ignore_missing: true
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ - remove:
+ field: json
+ tag: remove_json
+ ignore_missing: true
+ - script:
+ tag: script_to_drop_null_values
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |-
+ void handleMap(Map map) {
+ map.values().removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ void handleList(List list) {
+ list.removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ handleMap(ctx);
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_into_event_kind
+ value: pipeline_error
+ if: ctx.error?.message != null
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+ if: ctx.error?.message != null
+on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_application_settings.yml b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_application_settings.yml
new file mode 100644
index 00000000000..51817dfc2f3
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_application_settings.yml
@@ -0,0 +1,321 @@
+---
+description: Pipeline for processing application settings logs.
+processors:
+ - foreach:
+ field: json.event.data.configuration_values
+ tag: foreach_event_data_configuration_values_configuration_value
+ if: ctx.json?.event?.data?.configuration_values instanceof List
+ processor:
+ append:
+ field: rule.description
+ tag: append_event_data_configuration_values_configuration_value_into_rule_description
+ value: '{{{_ingest._value.configuration_value}}}'
+ allow_duplicates: false
+ - foreach:
+ field: json.event.data.configuration_values
+ tag: foreach_event_data_configuration_values_is_valid
+ if: ctx.json?.event?.data?.configuration_values instanceof List
+ processor:
+ convert:
+ field: _ingest._value.is_valid
+ tag: convert_event_data_configuration_values_is_valid_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.is_valid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.configuration_values
+ tag: foreach_event_data_configuration_values_role_remote_id
+ if: ctx.json?.event?.data?.configuration_values instanceof List
+ processor:
+ append:
+ field: rule.id
+ tag: append_event_data_configuration_values_role_remote_id_into_rule_id
+ value: '{{{_ingest._value.role.remote_id}}}'
+ allow_duplicates: false
+ - rename:
+ field: json.event.data.configuration_values
+ tag: rename_event_data_configuration_values
+ target_field: axonius.application.event.data.configuration_values
+ ignore_missing: true
+ - rename:
+ field: json.event.data.impact
+ tag: rename_event_data_impact
+ target_field: axonius.application.event.data.impact
+ ignore_missing: true
+ - convert:
+ field: json.event.data.is_excluded
+ tag: convert_event_data_is_excluded_to_boolean
+ target_field: axonius.application.event.data.is_excluded
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.level
+ tag: rename_event_data_level
+ target_field: axonius.application.event.data.level
+ ignore_missing: true
+ - rename:
+ field: json.event.data.link
+ tag: rename_event_data_link
+ target_field: axonius.application.event.data.link
+ ignore_missing: true
+ - rename:
+ field: json.event.data.link_path
+ tag: rename_event_data_link_path
+ target_field: axonius.application.event.data.link_path
+ ignore_missing: true
+ - rename:
+ field: json.event.data.product_name
+ tag: rename_event_data_product_name
+ target_field: axonius.application.event.data.product_name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.raw_setting_name
+ tag: rename_event_data_raw_setting_name
+ target_field: axonius.application.event.data.raw_setting_name
+ ignore_missing: true
+ - append:
+ field: rule.name
+ tag: append_axonius_application_event_data_raw_setting_name_into_rule_name
+ value: '{{{axonius.application.event.data.raw_setting_name}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.raw_setting_name != null
+ - rename:
+ field: json.event.data.raw_setting_value
+ tag: rename_event_data_raw_setting_value
+ target_field: axonius.application.event.data.raw_setting_value
+ ignore_missing: true
+ - rename:
+ field: json.event.data.recommendation
+ tag: rename_event_data_recommendation
+ target_field: axonius.application.event.data.recommendation
+ ignore_missing: true
+ - rename:
+ field: json.event.data.recommendation_description
+ tag: rename_event_data_recommendation_description
+ target_field: axonius.application.event.data.recommendation_description
+ ignore_missing: true
+ - append:
+ field: rule.description
+ tag: append_axonius_application_event_data_recommendation_description_into_rule_description
+ value: '{{{axonius.application.event.data.recommendation_description}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.recommendation_description != null
+ - rename:
+ field: json.event.data.role.display_name
+ tag: rename_event_data_role_display_name
+ target_field: axonius.application.event.data.role.display_name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.role.remote_id
+ tag: rename_event_data_role_remote_id
+ target_field: axonius.application.event.data.role.remote_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.setting_description
+ tag: rename_event_data_setting_description
+ target_field: axonius.application.event.data.setting_description
+ ignore_missing: true
+ - append:
+ field: message
+ tag: append_axonius_application_event_data_setting_description_into_message
+ value: '{{{axonius.application.event.data.setting_description}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.setting_description != null
+ - rename:
+ field: json.event.data.setting_name
+ tag: rename_event_data_setting_name
+ target_field: axonius.application.event.data.setting_name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.setting_type
+ tag: rename_event_data_setting_type
+ target_field: axonius.application.event.data.setting_type
+ ignore_missing: true
+ - convert:
+ field: json.event.data.settings_score
+ tag: convert_event_data_settings_score_to_double
+ target_field: axonius.application.event.data.settings_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.settings_status
+ tag: rename_event_data_settings_status
+ target_field: axonius.application.event.data.settings_status
+ ignore_missing: true
+ - rename:
+ field: json.event.data.standards
+ tag: rename_event_data_standards
+ target_field: axonius.application.event.data.standards
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_documentation
+ tag: rename_event_data_vendor_documentation
+ target_field: axonius.application.event.data.vendor_documentation
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting._id
+ tag: rename_event_data_vendor_setting__id
+ target_field: axonius.application.event.data.vendor_setting._id
+ ignore_missing: true
+ - append:
+ field: rule.id
+ tag: append_axonius_application_event_data_vendor_setting__id_into_rule_id
+ value: '{{{axonius.application.event.data.vendor_setting._id}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.vendor_setting?._id != null
+ - rename:
+ field: json.event.data.vendor_setting.documentation_link
+ tag: rename_event_data_vendor_setting_documentation_link
+ target_field: axonius.application.event.data.vendor_setting.documentation_link
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.exceptions
+ tag: rename_event_data_vendor_setting_exceptions
+ target_field: axonius.application.event.data.vendor_setting.exceptions
+ ignore_missing: true
+ - convert:
+ field: json.event.data.vendor_setting.is_relevant
+ tag: convert_event_data_vendor_setting_is_relevant_to_boolean
+ target_field: axonius.application.event.data.vendor_setting.is_relevant
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.vendor_setting.lambda_name
+ tag: rename_event_data_vendor_setting_lambda_name
+ target_field: axonius.application.event.data.vendor_setting.lambda_name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.lambda_variable
+ tag: rename_event_data_vendor_setting_lambda_variable
+ target_field: axonius.application.event.data.vendor_setting.lambda_variable
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.level
+ tag: rename_event_data_vendor_setting_level
+ target_field: axonius.application.event.data.vendor_setting.level
+ ignore_missing: true
+ - set:
+ field: rule.ruleset
+ tag: set_rule_ruleset_from_application_event_data_vendor_setting_level
+ copy_from: axonius.application.event.data.vendor_setting.level
+ ignore_empty_value: true
+ - rename:
+ field: json.event.data.vendor_setting.link
+ tag: rename_event_data_vendor_setting_link
+ target_field: axonius.application.event.data.vendor_setting.link
+ ignore_missing: true
+ - set:
+ field: rule.reference
+ tag: set_rule_reference_from_application_event_data_vendor_setting_link
+ copy_from: axonius.application.event.data.vendor_setting.link
+ ignore_empty_value: true
+ - rename:
+ field: json.event.data.vendor_setting.link_path
+ tag: rename_event_data_vendor_setting_link_path
+ target_field: axonius.application.event.data.vendor_setting.link_path
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.product
+ tag: rename_event_data_vendor_setting_product
+ target_field: axonius.application.event.data.vendor_setting.product
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.raw_setting_name
+ tag: rename_event_data_vendor_setting_raw_setting_name
+ target_field: axonius.application.event.data.vendor_setting.raw_setting_name
+ ignore_missing: true
+ - append:
+ field: rule.name
+ tag: append_axonius_application_event_data_vendor_setting_raw_setting_name_into_rule_name
+ value: '{{{axonius.application.event.data.vendor_setting.raw_setting_name}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.vendor_setting?.raw_setting_name != null
+ - rename:
+ field: json.event.data.vendor_setting.raw_setting_value_type
+ tag: rename_event_data_vendor_setting_raw_setting_value_type
+ target_field: axonius.application.event.data.vendor_setting.raw_setting_value_type
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.raw_validation_rule
+ tag: rename_event_data_vendor_setting_raw_validation_rule
+ target_field: axonius.application.event.data.vendor_setting.raw_validation_rule
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.recommendation_reason
+ tag: rename_event_data_vendor_setting_recommendation_reason
+ target_field: axonius.application.event.data.vendor_setting.recommendation_reason
+ ignore_missing: true
+ - append:
+ field: rule.description
+ tag: append_axonius_application_event_data_vendor_setting_recommendation_reason_into_rule_description
+ value: '{{{axonius.application.event.data.vendor_setting.recommendation_reason}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.vendor_setting?.recommendation_reason != null
+ - rename:
+ field: json.event.data.vendor_setting.scope
+ tag: rename_event_data_vendor_setting_scope
+ target_field: axonius.application.event.data.vendor_setting.scope
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.setting_description
+ tag: rename_event_data_vendor_setting_setting_description
+ target_field: axonius.application.event.data.vendor_setting.setting_description
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.xsetting._id
+ tag: rename_event_data_vendor_setting_xsetting__id
+ target_field: axonius.application.event.data.vendor_setting.xsetting._id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.vendor_setting.xsetting.impact
+ tag: convert_event_data_vendor_setting_xsetting_impact_to_long
+ target_field: axonius.application.event.data.vendor_setting.xsetting.impact
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.vendor_setting.xsetting.setting_type.name
+ tag: rename_event_data_vendor_setting_xsetting_setting_type_name
+ target_field: axonius.application.event.data.vendor_setting.xsetting.setting_type.name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.vendor_setting.xsetting.xsetting_name
+ tag: rename_event_data_vendor_setting_xsetting_xsetting_name
+ target_field: axonius.application.event.data.vendor_setting.xsetting.xsetting_name
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_audit_activities.yml b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_audit_activities.yml
new file mode 100644
index 00000000000..bebd8cfbdb8
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_audit_activities.yml
@@ -0,0 +1,139 @@
+---
+description: Pipeline for processing audit activities logs.
+processors:
+ - rename:
+ field: json.event.data.action.name
+ tag: rename_event_data_action_name
+ target_field: axonius.application.event.data.action.name
+ ignore_missing: true
+ - set:
+ field: event.action
+ tag: set_event_action_from_application_event_data_action_name
+ copy_from: axonius.application.event.data.action.name
+ ignore_empty_value: true
+ - lowercase:
+ field: event.action
+ tag: lowercase_event_action
+ ignore_missing: true
+ - split:
+ field: event.action
+ tag: split_event_action
+ separator: \s+
+ ignore_missing: true
+ if: ctx.event?.action != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - join:
+ field: event.action
+ tag: join_event_action
+ separator: '-'
+ if: ctx.event?.action != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.event.data.action.timestamp
+ tag: date_event_data_action_timestamp
+ target_field: axonius.application.event.data.action.timestamp
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.action?.timestamp != null && ctx.json.event.data.action.timestamp != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.action.type
+ tag: rename_event_data_action_type
+ target_field: axonius.application.event.data.action.type
+ ignore_missing: true
+ - rename:
+ field: json.event.data.actor.username
+ tag: rename_event_data_actor_username
+ target_field: axonius.application.event.data.actor.username
+ ignore_missing: true
+ - set:
+ field: user.name
+ tag: set_user_name_from_application_event_data_actor_username
+ copy_from: axonius.application.event.data.actor.username
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_actor_username_into_related_user
+ value: '{{{axonius.application.event.data.actor.username}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.actor?.username != null
+ - rename:
+ field: json.event.data.actor_state.location.country
+ tag: rename_event_data_actor_state_location_country
+ target_field: axonius.application.event.data.actor_state.location.country
+ ignore_missing: true
+ - set:
+ field: host.geo.country_name
+ tag: set_host_geo_country_name_from_application_event_data_actor_state_location_country
+ copy_from: axonius.application.event.data.actor_state.location.country
+ ignore_empty_value: true
+ - convert:
+ field: json.event.data.actor_state.location.remote_ip
+ tag: convert_event_data_actor_state_location_remote_ip_to_ip
+ target_field: axonius.application.event.data.actor_state.location.remote_ip
+ type: ip
+ ignore_missing: true
+ if: ctx.json?.event?.data?.actor_state?.location?.remote_ip != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.ip
+ tag: append_application_event_data_actor_state_location_remote_ip_into_related_ip
+ value: '{{{axonius.application.event.data.actor_state.location.remote_ip}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.actor_state?.location?.remote_ip != null
+ - convert:
+ field: json.event.data.actor_state.remote_ip
+ tag: convert_event_data_actor_state_remote_ip_to_ip
+ target_field: axonius.application.event.data.actor_state.remote_ip
+ type: ip
+ ignore_missing: true
+ if: ctx.json?.event?.data?.actor_state?.remote_ip != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.ip
+ tag: append_application_event_data_actor_state_remote_ip_into_related_ip
+ value: '{{{axonius.application.event.data.actor_state.remote_ip}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.actor_state?.remote_ip != null
+ - convert:
+ field: json.event.data.custom_properties.is_identity
+ tag: convert_event_data_custom_properties_is_identity_to_boolean
+ target_field: axonius.application.event.data.custom_properties.is_identity
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_business_applications.yml b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_business_applications.yml
new file mode 100644
index 00000000000..b08e439df9e
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_business_applications.yml
@@ -0,0 +1,194 @@
+---
+description: Pipeline for processing business applications logs.
+processors:
+ - rename:
+ field: json.event.data.application_type
+ tag: rename_event_data_application_type
+ target_field: axonius.application.event.data.application_type
+ ignore_missing: true
+ - set:
+ field: service.type
+ tag: set_service_type_from_application_event_data_application_type
+ copy_from: axonius.application.event.data.application_type
+ ignore_empty_value: true
+ - rename:
+ field: json.event.data.business_criticality
+ tag: rename_event_data_business_criticality
+ target_field: axonius.application.event.data.business_criticality
+ ignore_missing: true
+ - rename:
+ field: json.event.data.business_owner
+ tag: rename_event_data_business_owner
+ target_field: axonius.application.event.data.business_owner
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_business_owner_into_related_user
+ value: '{{{axonius.application.event.data.business_owner}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.business_owner != null
+ - convert:
+ field: json.event.data.devices_count
+ tag: convert_event_data_devices_count_to_long
+ target_field: axonius.application.event.data.devices_count
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.devices_count_link
+ tag: foreach_event_data_devices_count_link_bracketWeight
+ if: ctx.json?.event?.data?.devices_count_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_devices_count_link_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.devices_count_link
+ tag: foreach_event_data_devices_count_link_compOp
+ if: ctx.json?.event?.data?.devices_count_link instanceof List
+ processor:
+ rename:
+ field: _ingest._value.compOp
+ tag: rename_event_data_devices_count_link_compOp
+ target_field: _ingest._value.comp_op
+ ignore_missing: true
+ - foreach:
+ field: json.event.data.devices_count_link
+ tag: foreach_event_data_devices_count_link_leftBracket
+ if: ctx.json?.event?.data?.devices_count_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_devices_count_link_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.devices_count_link
+ tag: foreach_event_data_devices_count_link_logicOp
+ if: ctx.json?.event?.data?.devices_count_link instanceof List
+ processor:
+ rename:
+ field: _ingest._value.logicOp
+ tag: rename_event_data_devices_count_link_logicOp
+ target_field: _ingest._value.logic_op
+ ignore_missing: true
+ - foreach:
+ field: json.event.data.devices_count_link
+ tag: foreach_event_data_devices_count_link_not
+ if: ctx.json?.event?.data?.devices_count_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_devices_count_link_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.devices_count_link
+ tag: foreach_event_data_devices_count_link_rightBracket
+ if: ctx.json?.event?.data?.devices_count_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_devices_count_link_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.devices_count_link
+ tag: rename_event_data_devices_count_link
+ target_field: axonius.application.event.data.devices_count_link
+ ignore_missing: true
+ - rename:
+ field: json.event.data.install_status
+ tag: rename_event_data_install_status
+ target_field: axonius.application.event.data.install_status
+ ignore_missing: true
+ - rename:
+ field: json.event.data.it_application_owner
+ tag: rename_event_data_it_application_owner
+ target_field: axonius.application.event.data.it_application_owner
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_it_application_owner_into_related_user
+ value: '{{{axonius.application.event.data.it_application_owner}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.it_application_owner != null
+ - rename:
+ field: json.event.data.managed_by
+ tag: rename_event_data_managed_by
+ target_field: axonius.application.event.data.managed_by
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_managed_by_into_related_user
+ value: '{{{axonius.application.event.data.managed_by}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.managed_by != null
+ - rename:
+ field: json.event.data.number
+ tag: rename_event_data_number
+ target_field: axonius.application.event.data.number
+ ignore_missing: true
+ - rename:
+ field: json.event.data.operational_status
+ tag: rename_event_data_operational_status
+ target_field: axonius.application.event.data.operational_status
+ ignore_missing: true
+ - rename:
+ field: json.event.data.remote_id
+ tag: rename_event_data_remote_id
+ target_field: axonius.application.event.data.remote_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.short_description
+ tag: rename_event_data_short_description
+ target_field: axonius.application.event.data.short_description
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_expenses.yml b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_expenses.yml
new file mode 100644
index 00000000000..6cbfe4a9ccd
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_expenses.yml
@@ -0,0 +1,115 @@
+---
+description: Pipeline for processing expenses logs.
+processors:
+ - convert:
+ field: json.event.data.amount
+ tag: convert_event_data_amount_to_long
+ target_field: axonius.application.event.data.amount
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.related_user.email
+ tag: rename_event_data_related_user_email
+ target_field: axonius.application.event.data.related_user.email
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_related_user_email_into_related_user
+ value: '{{{axonius.application.event.data.related_user.email}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.related_user?.email != null
+ - rename:
+ field: json.event.data.related_user.full_name
+ tag: rename_event_data_related_user_full_name
+ target_field: axonius.application.event.data.related_user.full_name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.related_user.remote_id
+ tag: rename_event_data_related_user_remote_id
+ target_field: axonius.application.event.data.related_user.remote_id
+ ignore_missing: true
+ - set:
+ field: user.id
+ tag: set_user_id_from_application_event_data_related_user_remote_id
+ copy_from: axonius.application.event.data.related_user.remote_id
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_related_user_remote_id_into_related_user
+ value: '{{{axonius.application.event.data.related_user.remote_id}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.related_user?.remote_id != null
+ - rename:
+ field: json.event.data.related_user.username
+ tag: rename_event_data_related_user_username
+ target_field: axonius.application.event.data.related_user.username
+ ignore_missing: true
+ - set:
+ field: user.name
+ tag: set_user_name_from_application_event_data_related_user_username
+ copy_from: axonius.application.event.data.related_user.username
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_application_event_data_related_user_username_into_related_user
+ value: '{{{axonius.application.event.data.related_user.username}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.related_user?.username != null
+ - date:
+ field: json.event.data.transaction_time
+ tag: date_event_data_transaction_time
+ target_field: axonius.application.event.data.transaction_time
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.transaction_time != null && ctx.json.event.data.transaction_time != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.start
+ tag: set_event_start_from_application_event_data_transaction_time
+ copy_from: axonius.application.event.data.transaction_time
+ ignore_empty_value: true
+ - rename:
+ field: json.event.data.user_email
+ tag: rename_event_data_user_email
+ target_field: axonius.application.event.data.user_email
+ ignore_missing: true
+ - set:
+ field: user.email
+ tag: set_user_email_from_application_event_data_user_email
+ copy_from: axonius.application.event.data.user_email
+ ignore_empty_value: true
+ - dissect:
+ tag: dissect_user_email
+ if: ctx.user?.email != null && ctx.user.email.contains('@')
+ field: user.email
+ pattern: '%{}@%{user.domain}'
+ - append:
+ field: related.user
+ tag: append_application_event_data_user_email_into_related_user
+ value: '{{{axonius.application.event.data.user_email}}}'
+ allow_duplicates: false
+ if: ctx.axonius?.application?.event?.data?.user_email != null
+on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_licenses.yml b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_licenses.yml
new file mode 100644
index 00000000000..7eee2088ea8
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_licenses.yml
@@ -0,0 +1,232 @@
+---
+description: Pipeline for processing license logs.
+processors:
+ - date:
+ field: json.event.data.actual_renewal_date
+ tag: date_event_data_actual_renewal_date
+ target_field: axonius.application.event.data.actual_renewal_date
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.actual_renewal_date != null && ctx.json.event.data.actual_renewal_date != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.associated_license_users
+ tag: foreach_event_data_associated_license_users_email
+ if: ctx.json?.event?.data?.associated_license_users instanceof List
+ processor:
+ append:
+ field: related.user
+ tag: append_event_data_associated_license_users_email_into_related_user
+ value: '{{{_ingest._value.email}}}'
+ allow_duplicates: false
+ - foreach:
+ field: json.event.data.associated_license_users
+ tag: foreach_event_data_associated_license_users_username
+ if: ctx.json?.event?.data?.associated_license_users instanceof List
+ processor:
+ append:
+ field: related.user
+ tag: append_event_data_associated_license_users_username_into_related_user
+ value: '{{{_ingest._value.username}}}'
+ allow_duplicates: false
+ - rename:
+ field: json.event.data.associated_license_users
+ tag: rename_event_data_associated_license_users
+ target_field: axonius.application.event.data.associated_license_users
+ ignore_missing: true
+ - foreach:
+ field: json.event.data.associated_users
+ tag: foreach_event_data_associated_users_username
+ if: ctx.json?.event?.data?.associated_users instanceof List
+ processor:
+ append:
+ field: related.user
+ tag: append_event_data_associated_users_username_into_related_user
+ value: '{{{_ingest._value.username}}}'
+ allow_duplicates: false
+ - rename:
+ field: json.event.data.associated_users
+ tag: rename_event_data_associated_users
+ target_field: axonius.application.event.data.associated_users
+ ignore_missing: true
+ - convert:
+ field: json.event.data.cost
+ tag: convert_event_data_cost_to_double
+ target_field: axonius.application.event.data.cost
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.event.data.end_date
+ tag: date_event_data_end_date
+ target_field: axonius.application.event.data.end_date
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.end_date != null && ctx.json.event.data.end_date != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_active_license
+ tag: convert_event_data_is_active_license_to_boolean
+ target_field: axonius.application.event.data.is_active_license
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_active_license_from_adapter
+ tag: convert_event_data_is_active_license_from_adapter_to_boolean
+ target_field: axonius.application.event.data.is_active_license_from_adapter
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.license_estimated_monthly_cost
+ tag: convert_event_data_license_estimated_monthly_cost_to_double
+ target_field: axonius.application.event.data.license_estimated_monthly_cost
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.license_estimated_yearly_cost
+ tag: convert_event_data_license_estimated_yearly_cost_to_double
+ target_field: axonius.application.event.data.license_estimated_yearly_cost
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.license_name
+ tag: rename_event_data_license_name
+ target_field: axonius.application.event.data.license_name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.license_type
+ tag: rename_event_data_license_type
+ target_field: axonius.application.event.data.license_type
+ ignore_missing: true
+ - convert:
+ field: json.event.data.number_of_active_associated_users
+ tag: convert_event_data_number_of_active_associated_users_to_long
+ target_field: axonius.application.event.data.number_of_active_associated_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.number_of_associated_users
+ tag: convert_event_data_number_of_associated_users_to_long
+ target_field: axonius.application.event.data.number_of_associated_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.number_of_inactive_associated_users
+ tag: convert_event_data_number_of_inactive_associated_users_to_long
+ target_field: axonius.application.event.data.number_of_inactive_associated_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.possible_savings_of_inactive_associated_users
+ tag: convert_event_data_possible_savings_of_inactive_associated_users_to_double
+ target_field: axonius.application.event.data.possible_savings_of_inactive_associated_users
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.pricing_unit
+ tag: rename_event_data_pricing_unit
+ target_field: axonius.application.event.data.pricing_unit
+ ignore_missing: true
+ - convert:
+ field: json.event.data.quantity
+ tag: convert_event_data_quantity_to_long
+ target_field: axonius.application.event.data.quantity
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.event.data.start_date
+ tag: date_event_data_start_date
+ target_field: axonius.application.event.data.start_date
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.start_date != null && ctx.json.event.data.start_date != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.start
+ tag: set_event_start_from_application_event_data_start_date
+ copy_from: axonius.application.event.data.start_date
+ ignore_empty_value: true
+ - rename:
+ field: json.event.data.subscription_term
+ tag: rename_event_data_subscription_term
+ target_field: axonius.application.event.data.subscription_term
+ ignore_missing: true
+ - convert:
+ field: json.event.data.unit_price
+ tag: convert_event_data_unit_price_to_double
+ target_field: axonius.application.event.data.unit_price
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_saas_applications.yml b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_saas_applications.yml
new file mode 100644
index 00000000000..4d0e77dd46f
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_saas_applications.yml
@@ -0,0 +1,1192 @@
+---
+description: Pipeline for processing saas application logs.
+processors:
+ - rename:
+ field: json.event.data.account_name
+ tag: rename_event_data_account_name
+ target_field: axonius.application.event.data.account_name
+ ignore_missing: true
+ - convert:
+ field: json.event.data.active_licenses
+ tag: convert_event_data_active_licenses_to_long
+ target_field: axonius.application.event.data.active_licenses
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.active_licenses_link
+ tag: foreach_event_data_active_licenses_link_bracketWeight
+ if: ctx.json?.event?.data?.active_licenses_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_active_licenses_link_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.active_licenses_link
+ tag: foreach_event_data_active_licenses_link_leftBracket
+ if: ctx.json?.event?.data?.active_licenses_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_active_licenses_link_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.active_licenses_link
+ tag: foreach_event_data_active_licenses_link_not
+ if: ctx.json?.event?.data?.active_licenses_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_active_licenses_link_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.active_licenses_link
+ tag: foreach_event_data_active_licenses_link_rightBracket
+ if: ctx.json?.event?.data?.active_licenses_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_active_licenses_link_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.active_licenses_link
+ tag: rename_event_data_active_licenses_link
+ target_field: axonius.application.event.data.active_licenses_link
+ ignore_missing: true
+ - convert:
+ field: json.event.data.active_users
+ tag: convert_event_data_active_users_to_long
+ target_field: axonius.application.event.data.active_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.active_users_saved_query_id
+ tag: rename_event_data_active_users_saved_query_id
+ target_field: axonius.application.event.data.active_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.admin_non_operational_users
+ tag: convert_event_data_admin_non_operational_users_to_long
+ target_field: axonius.application.event.data.admin_non_operational_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.admin_non_operational_users_saved_query_id
+ tag: rename_event_data_admin_non_operational_users_saved_query_id
+ target_field: axonius.application.event.data.admin_non_operational_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.admin_operational_active_users
+ tag: convert_event_data_admin_operational_active_users_to_long
+ target_field: axonius.application.event.data.admin_operational_active_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.admin_operational_active_users_saved_query_id
+ tag: rename_event_data_admin_operational_active_users_saved_query_id
+ target_field: axonius.application.event.data.admin_operational_active_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.admin_operational_inactive_users
+ tag: convert_event_data_admin_operational_inactive_users_to_long
+ target_field: axonius.application.event.data.admin_operational_inactive_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.admin_operational_inactive_users_saved_query_id
+ tag: rename_event_data_admin_operational_inactive_users_saved_query_id
+ target_field: axonius.application.event.data.admin_operational_inactive_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.admin_operational_users
+ tag: convert_event_data_admin_operational_users_to_long
+ target_field: axonius.application.event.data.admin_operational_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.admin_operational_users_saved_query_id
+ tag: rename_event_data_admin_operational_users_saved_query_id
+ target_field: axonius.application.event.data.admin_operational_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.admins
+ tag: convert_event_data_admins_to_long
+ target_field: axonius.application.event.data.admins
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.admins_saved_query_id
+ tag: rename_event_data_admins_saved_query_id
+ target_field: axonius.application.event.data.admins_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.affiliated_users
+ tag: convert_event_data_affiliated_users_to_long
+ target_field: axonius.application.event.data.affiliated_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.affiliated_users_saved_query_id
+ tag: rename_event_data_affiliated_users_saved_query_id
+ target_field: axonius.application.event.data.affiliated_users_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.aggregated_extension_types
+ tag: rename_event_data_aggregated_extension_types
+ target_field: axonius.application.event.data.aggregated_extension_types
+ ignore_missing: true
+ - rename:
+ field: json.event.data.category
+ tag: rename_event_data_category
+ target_field: axonius.application.event.data.category
+ ignore_missing: true
+ - rename:
+ field: json.event.data.compliance
+ tag: rename_event_data_compliance
+ target_field: axonius.application.event.data.compliance
+ ignore_missing: true
+ - convert:
+ field: json.event.data.data_at_rest_encryption
+ tag: convert_event_data_data_at_rest_encryption_to_boolean
+ target_field: axonius.application.event.data.data_at_rest_encryption
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.data_hold_IP
+ tag: convert_event_data_data_hold_IP_to_boolean
+ target_field: axonius.application.event.data.data_hold_IP
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.data_hold_PII
+ tag: convert_event_data_data_hold_PII_to_boolean
+ target_field: axonius.application.event.data.data_hold_PII
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.data_hold_customers_data
+ tag: convert_event_data_data_hold_customers_data_to_boolean
+ target_field: axonius.application.event.data.data_hold_customers_data
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.data_transport_encryption
+ tag: convert_event_data_data_transport_encryption_to_boolean
+ target_field: axonius.application.event.data.data_transport_encryption
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.deleted_users
+ tag: convert_event_data_deleted_users_to_long
+ target_field: axonius.application.event.data.deleted_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.deleted_users_saved_query_id
+ tag: rename_event_data_deleted_users_saved_query_id
+ target_field: axonius.application.event.data.deleted_users_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.description
+ tag: rename_event_data_description
+ target_field: axonius.application.event.data.description
+ ignore_missing: true
+ - set:
+ field: message
+ tag: set_message_from_application_event_data_description
+ copy_from: axonius.application.event.data.description
+ ignore_empty_value: true
+ - convert:
+ field: json.event.data.direct_not_sso_users
+ tag: convert_event_data_direct_not_sso_users_to_long
+ target_field: axonius.application.event.data.direct_not_sso_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.direct_not_sso_users_saved_query_id
+ tag: rename_event_data_direct_not_sso_users_saved_query_id
+ target_field: axonius.application.event.data.direct_not_sso_users_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.discovery_indicators
+ tag: rename_event_data_discovery_indicators
+ target_field: axonius.application.event.data.discovery_indicators
+ ignore_missing: true
+ - convert:
+ field: json.event.data.dns_discovered_users
+ tag: convert_event_data_dns_discovered_users_to_long
+ target_field: axonius.application.event.data.dns_discovered_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.dns_discovered_users_saved_query_id
+ tag: rename_event_data_dns_discovered_users_saved_query_id
+ target_field: axonius.application.event.data.dns_discovered_users_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.domain
+ tag: rename_event_data_domain
+ target_field: axonius.application.event.data.domain
+ ignore_missing: true
+ - rename:
+ field: json.event.data.employees_count
+ tag: rename_event_data_employees_count
+ target_field: axonius.application.event.data.employees_count
+ ignore_missing: true
+ - convert:
+ field: json.event.data.expense_amount
+ tag: convert_event_data_expense_amount_to_long
+ target_field: axonius.application.event.data.expense_amount
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.expense_amount_hyperlink
+ tag: foreach_event_data_expense_amount_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.expense_amount_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_expense_amount_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.expense_amount_hyperlink
+ tag: foreach_event_data_expense_amount_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.expense_amount_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_expense_amount_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.expense_amount_hyperlink
+ tag: foreach_event_data_expense_amount_hyperlink_not
+ if: ctx.json?.event?.data?.expense_amount_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_expense_amount_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.expense_amount_hyperlink
+ tag: foreach_event_data_expense_amount_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.expense_amount_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_expense_amount_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.expense_amount_hyperlink
+ tag: rename_event_data_expense_amount_hyperlink
+ target_field: axonius.application.event.data.expense_amount_hyperlink
+ ignore_missing: true
+ - convert:
+ field: json.event.data.external_users
+ tag: convert_event_data_external_users_to_double
+ target_field: axonius.application.event.data.external_users
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.external_users_saved_query_id
+ tag: rename_event_data_external_users_saved_query_id
+ target_field: axonius.application.event.data.external_users_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.founding_year
+ tag: rename_event_data_founding_year
+ target_field: axonius.application.event.data.founding_year
+ ignore_missing: true
+ - rename:
+ field: json.event.data.funds_raised
+ tag: rename_event_data_funds_raised
+ target_field: axonius.application.event.data.funds_raised
+ ignore_missing: true
+ - rename:
+ field: json.event.data.generated_from_entities
+ tag: rename_event_data_generated_from_entities
+ target_field: axonius.application.event.data.generated_from_entities
+ ignore_missing: true
+ - rename:
+ field: json.event.data.hints
+ tag: rename_event_data_hints
+ target_field: axonius.application.event.data.hints
+ ignore_missing: true
+ - rename:
+ field: json.event.data.hq
+ tag: rename_event_data_hq
+ target_field: axonius.application.event.data.hq
+ ignore_missing: true
+ - convert:
+ field: json.event.data.inactive_licenses
+ tag: convert_event_data_inactive_licenses_to_long
+ target_field: axonius.application.event.data.inactive_licenses
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.inactive_licenses_link
+ tag: foreach_event_data_inactive_licenses_link_bracketWeight
+ if: ctx.json?.event?.data?.inactive_licenses_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_inactive_licenses_link_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.inactive_licenses_link
+ tag: foreach_event_data_inactive_licenses_link_leftBracket
+ if: ctx.json?.event?.data?.inactive_licenses_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_inactive_licenses_link_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.inactive_licenses_link
+ tag: foreach_event_data_inactive_licenses_link_not
+ if: ctx.json?.event?.data?.inactive_licenses_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_inactive_licenses_link_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.inactive_licenses_link
+ tag: foreach_event_data_inactive_licenses_link_rightBracket
+ if: ctx.json?.event?.data?.inactive_licenses_link instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_inactive_licenses_link_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.inactive_licenses_link
+ tag: rename_event_data_inactive_licenses_link
+ target_field: axonius.application.event.data.inactive_licenses_link
+ ignore_missing: true
+ - convert:
+ field: json.event.data.inactive_users
+ tag: convert_event_data_inactive_users_to_long
+ target_field: axonius.application.event.data.inactive_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.inactive_users_saved_query_id
+ tag: rename_event_data_inactive_users_saved_query_id
+ target_field: axonius.application.event.data.inactive_users_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.installed_sw
+ tag: rename_event_data_installed_sw
+ target_field: axonius.application.event.data.installed_sw
+ ignore_missing: true
+ - convert:
+ field: json.event.data.is_adapter_exists
+ tag: convert_event_data_is_adapter_exists_to_boolean
+ target_field: axonius.application.event.data.is_adapter_exists
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_discovered
+ tag: convert_event_data_is_discovered_to_boolean
+ target_field: axonius.application.event.data.is_discovered
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_from_axonius_catalog
+ tag: convert_event_data_is_from_axonius_catalog_to_boolean
+ target_field: axonius.application.event.data.is_from_axonius_catalog
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_managed
+ tag: convert_event_data_is_managed_to_boolean
+ target_field: axonius.application.event.data.is_managed
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_managed_by_connected_app
+ tag: convert_event_data_is_managed_by_connected_app_to_boolean
+ target_field: axonius.application.event.data.is_managed_by_connected_app
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_managed_by_sso
+ tag: convert_event_data_is_managed_by_sso_to_boolean
+ target_field: axonius.application.event.data.is_managed_by_sso
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_managed_or_admin_consent
+ tag: convert_event_data_is_managed_or_admin_consent_to_boolean
+ target_field: axonius.application.event.data.is_managed_or_admin_consent
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_managed_or_bookmark
+ tag: convert_event_data_is_managed_or_bookmark_to_boolean
+ target_field: axonius.application.event.data.is_managed_or_bookmark
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.is_managed_or_bookmark_or_admin_consent
+ tag: convert_event_data_is_managed_or_bookmark_or_admin_consent_to_boolean
+ target_field: axonius.application.event.data.is_managed_or_bookmark_or_admin_consent
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.event.data.last_enrichment_run
+ tag: date_event_data_last_enrichment_run
+ target_field: axonius.application.event.data.last_enrichment_run
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.last_enrichment_run != null && ctx.json.event.data.last_enrichment_run != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.license_cost
+ tag: convert_event_data_license_cost_to_double
+ target_field: axonius.application.event.data.license_cost
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.license_cost_hyperlink
+ tag: foreach_event_data_license_cost_hyperlink_bracketWeight
+ if: ctx.json?.event?.data?.license_cost_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.bracketWeight
+ tag: convert_event_data_license_cost_hyperlink_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.license_cost_hyperlink
+ tag: foreach_event_data_license_cost_hyperlink_leftBracket
+ if: ctx.json?.event?.data?.license_cost_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.leftBracket
+ tag: convert_event_data_license_cost_hyperlink_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.license_cost_hyperlink
+ tag: foreach_event_data_license_cost_hyperlink_not
+ if: ctx.json?.event?.data?.license_cost_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.not
+ tag: convert_event_data_license_cost_hyperlink_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.license_cost_hyperlink
+ tag: foreach_event_data_license_cost_hyperlink_rightBracket
+ if: ctx.json?.event?.data?.license_cost_hyperlink instanceof List
+ processor:
+ convert:
+ field: _ingest._value.rightBracket
+ tag: convert_event_data_license_cost_hyperlink_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.license_cost_hyperlink
+ tag: rename_event_data_license_cost_hyperlink
+ target_field: axonius.application.event.data.license_cost_hyperlink
+ ignore_missing: true
+ - rename:
+ field: json.event.data.license_status
+ tag: rename_event_data_license_status
+ target_field: axonius.application.event.data.license_status
+ ignore_missing: true
+ - convert:
+ field: json.event.data.managed_non_operational_users
+ tag: convert_event_data_managed_non_operational_users_to_long
+ target_field: axonius.application.event.data.managed_non_operational_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.managed_non_operational_users_saved_query_id
+ tag: rename_event_data_managed_non_operational_users_saved_query_id
+ target_field: axonius.application.event.data.managed_non_operational_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.managed_operational_users
+ tag: convert_event_data_managed_operational_users_to_long
+ target_field: axonius.application.event.data.managed_operational_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.managed_operational_users_saved_query_id
+ tag: rename_event_data_managed_operational_users_saved_query_id
+ target_field: axonius.application.event.data.managed_operational_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.managed_users
+ tag: convert_event_data_managed_users_to_long
+ target_field: axonius.application.event.data.managed_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.managed_users_by_app
+ tag: convert_event_data_managed_users_by_app_to_long
+ target_field: axonius.application.event.data.managed_users_by_app
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.managed_users_by_app_saved_query_id
+ tag: rename_event_data_managed_users_by_app_saved_query_id
+ target_field: axonius.application.event.data.managed_users_by_app_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.managed_users_by_sso
+ tag: convert_event_data_managed_users_by_sso_to_long
+ target_field: axonius.application.event.data.managed_users_by_sso
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.managed_users_by_sso_saved_query_id
+ tag: rename_event_data_managed_users_by_sso_saved_query_id
+ target_field: axonius.application.event.data.managed_users_by_sso_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.managed_users_saved_query_id
+ tag: rename_event_data_managed_users_saved_query_id
+ target_field: axonius.application.event.data.managed_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.orphaned_users
+ tag: convert_event_data_orphaned_users_to_long
+ target_field: axonius.application.event.data.orphaned_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.orphaned_users_saved_query_id
+ tag: rename_event_data_orphaned_users_saved_query_id
+ target_field: axonius.application.event.data.orphaned_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.paid_users
+ tag: convert_event_data_paid_users_to_long
+ target_field: axonius.application.event.data.paid_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.paid_users_saved_query_id
+ tag: rename_event_data_paid_users_saved_query_id
+ target_field: axonius.application.event.data.paid_users_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.parent_company
+ tag: rename_event_data_parent_company
+ target_field: axonius.application.event.data.parent_company
+ ignore_missing: true
+ - rename:
+ field: json.event.data.policy_DPA
+ tag: rename_event_data_policy_DPA
+ target_field: axonius.application.event.data.policy_DPA
+ ignore_missing: true
+ - rename:
+ field: json.event.data.policy_password_policy
+ tag: rename_event_data_policy_password_policy
+ target_field: axonius.application.event.data.policy_password_policy
+ ignore_missing: true
+ - rename:
+ field: json.event.data.policy_privacy_policy
+ tag: rename_event_data_policy_privacy_policy
+ target_field: axonius.application.event.data.policy_privacy_policy
+ ignore_missing: true
+ - rename:
+ field: json.event.data.policy_security_policy
+ tag: rename_event_data_policy_security_policy
+ target_field: axonius.application.event.data.policy_security_policy
+ ignore_missing: true
+ - rename:
+ field: json.event.data.policy_termination_notice
+ tag: rename_event_data_policy_termination_notice
+ target_field: axonius.application.event.data.policy_termination_notice
+ ignore_missing: true
+ - rename:
+ field: json.event.data.policy_user_terms
+ tag: rename_event_data_policy_user_terms
+ target_field: axonius.application.event.data.policy_user_terms
+ ignore_missing: true
+ - rename:
+ field: json.event.data.public
+ tag: rename_event_data_public
+ target_field: axonius.application.event.data.public
+ ignore_missing: true
+ - foreach:
+ field: json.event.data.recommendations
+ tag: foreach_event_data_recommendations_quantity
+ if: ctx.json?.event?.data?.recommendations instanceof List
+ processor:
+ convert:
+ field: _ingest._value.quantity
+ tag: convert_event_data_recommendations_quantity_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.quantity
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.recommendations
+ tag: foreach_event_data_recommendations_quantity_link_bracketWeight
+ if: ctx.json?.event?.data?.recommendations instanceof List
+ processor:
+ convert:
+ field: _ingest._value.quantity_link.bracketWeight
+ tag: convert_event_data_recommendations_quantity_link_bracketWeight_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.quantity_link.bracketWeight
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.recommendations
+ tag: foreach_event_data_recommendations_quantity_link_leftBracket
+ if: ctx.json?.event?.data?.recommendations instanceof List
+ processor:
+ convert:
+ field: _ingest._value.quantity_link.leftBracket
+ tag: convert_event_data_recommendations_quantity_link_leftBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.quantity_link.leftBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.recommendations
+ tag: foreach_event_data_recommendations_quantity_link_not
+ if: ctx.json?.event?.data?.recommendations instanceof List
+ processor:
+ convert:
+ field: _ingest._value.quantity_link.not
+ tag: convert_event_data_recommendations_quantity_link_not_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.quantity_link.not
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.recommendations
+ tag: foreach_event_data_recommendations_quantity_link_rightBracket
+ if: ctx.json?.event?.data?.recommendations instanceof List
+ processor:
+ convert:
+ field: _ingest._value.quantity_link.rightBracket
+ tag: convert_event_data_recommendations_quantity_link_rightBracket_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.quantity_link.rightBracket
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.recommendations
+ tag: foreach_event_data_recommendations_quantity_link_value
+ if: ctx.json?.event?.data?.recommendations instanceof List
+ processor:
+ convert:
+ field: _ingest._value.quantity_link.value
+ tag: convert_event_data_recommendations_quantity_link_value_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.quantity_link.value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.recommendations
+ tag: rename_event_data_recommendations
+ target_field: axonius.application.event.data.recommendations
+ ignore_missing: true
+ - rename:
+ field: json.event.data.risk
+ tag: rename_event_data_risk
+ target_field: axonius.application.event.data.risk
+ ignore_missing: true
+ - convert:
+ field: json.event.data.security_MFA
+ tag: convert_event_data_security_MFA_to_boolean
+ target_field: axonius.application.event.data.security_MFA
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.security_SSO
+ tag: convert_event_data_security_SSO_to_boolean
+ target_field: axonius.application.event.data.security_SSO
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.security_bug_bounty
+ tag: convert_event_data_security_bug_bounty_to_boolean
+ target_field: axonius.application.event.data.security_bug_bounty
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.security_email_for_issues
+ tag: rename_event_data_security_email_for_issues
+ target_field: axonius.application.event.data.security_email_for_issues
+ ignore_missing: true
+ - convert:
+ field: json.event.data.suspended_users
+ tag: convert_event_data_suspended_users_to_long
+ target_field: axonius.application.event.data.suspended_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.suspended_users_saved_query_id
+ tag: rename_event_data_suspended_users_saved_query_id
+ target_field: axonius.application.event.data.suspended_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.total_accounts
+ tag: convert_event_data_total_accounts_to_long
+ target_field: axonius.application.event.data.total_accounts
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.total_expenses_by_adapter_connection
+ tag: foreach_event_data_total_expenses_by_adapter_connection_amount
+ if: ctx.json?.event?.data?.total_expenses_by_adapter_connection instanceof List
+ processor:
+ convert:
+ field: _ingest._value.amount
+ tag: convert_event_data_total_expenses_by_adapter_connection_amount_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.amount
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.total_expenses_by_adapter_connection
+ tag: rename_event_data_total_expenses_by_adapter_connection
+ target_field: axonius.application.event.data.total_expenses_by_adapter_connection
+ ignore_missing: true
+ - convert:
+ field: json.event.data.total_misconfigured_settings
+ tag: convert_event_data_total_misconfigured_settings_to_long
+ target_field: axonius.application.event.data.total_misconfigured_settings
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.unlinked_users
+ tag: convert_event_data_unlinked_users_to_long
+ target_field: axonius.application.event.data.unlinked_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.unlinked_users_saved_query_id
+ tag: rename_event_data_unlinked_users_saved_query_id
+ target_field: axonius.application.event.data.unlinked_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.unmanaged_users
+ tag: convert_event_data_unmanaged_users_to_long
+ target_field: axonius.application.event.data.unmanaged_users
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.unmanaged_users_device_software_only
+ tag: convert_event_data_unmanaged_users_device_software_only_to_long
+ target_field: axonius.application.event.data.unmanaged_users_device_software_only
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.unmanaged_users_device_software_only_saved_query_id
+ tag: rename_event_data_unmanaged_users_device_software_only_saved_query_id
+ target_field: axonius.application.event.data.unmanaged_users_device_software_only_saved_query_id
+ ignore_missing: true
+ - rename:
+ field: json.event.data.unmanaged_users_saved_query_id
+ tag: rename_event_data_unmanaged_users_saved_query_id
+ target_field: axonius.application.event.data.unmanaged_users_saved_query_id
+ ignore_missing: true
+ - convert:
+ field: json.event.data.upcoming_renewals
+ tag: convert_event_data_upcoming_renewals_to_long
+ target_field: axonius.application.event.data.upcoming_renewals
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.used_as_override
+ tag: convert_event_data_used_as_override_to_boolean
+ target_field: axonius.application.event.data.used_as_override
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.event.data.user_extensions_used_by_app
+ tag: convert_event_data_user_extensions_used_by_app_to_long
+ target_field: axonius.application.event.data.user_extensions_used_by_app
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.vendors_application_category
+ tag: rename_event_data_vendors_application_category
+ target_field: axonius.application.event.data.vendors_application_category
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_software.yml b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_software.yml
new file mode 100644
index 00000000000..ef031316f5f
--- /dev/null
+++ b/packages/axonius/data_stream/application/elasticsearch/ingest_pipeline/pipeline_software.yml
@@ -0,0 +1,174 @@
+---
+description: Pipeline for processing software logs.
+processors:
+ - rename:
+ field: json._id
+ tag: rename__id
+ target_field: axonius.application._id
+ ignore_missing: true
+ - date:
+ field: json.event.data.approval_status_meta.last_modified
+ tag: date_event_data_approval_status_meta_last_modified
+ target_field: axonius.application.event.data.approval_status_meta.last_modified
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.approval_status_meta?.last_modified != null && ctx.json.event.data.approval_status_meta.last_modified != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.approval_status_meta.last_modified_by
+ tag: rename_event_data_approval_status_meta_last_modified_by
+ target_field: axonius.application.event.data.approval_status_meta.last_modified_by
+ ignore_missing: true
+ - rename:
+ field: json.event.data.approval_status_meta.software_name
+ tag: rename_event_data_approval_status_meta_software_name
+ target_field: axonius.application.event.data.approval_status_meta.software_name
+ ignore_missing: true
+ - rename:
+ field: json.event.data.approval_status_meta.software_vendor
+ tag: rename_event_data_approval_status_meta_software_vendor
+ target_field: axonius.application.event.data.approval_status_meta.software_vendor
+ ignore_missing: true
+ - rename:
+ field: json.event.data.approval_status_meta.source
+ tag: rename_event_data_approval_status_meta_source
+ target_field: axonius.application.event.data.approval_status_meta.source
+ ignore_missing: true
+ - rename:
+ field: json.event.data.categories
+ tag: rename_event_data_categories
+ target_field: axonius.application.event.data.categories
+ ignore_missing: true
+ - foreach:
+ field: json.event.data.installed_software
+ tag: foreach_event_data_installed_software_end_of_life
+ if: ctx.json?.event?.data?.installed_software instanceof List
+ processor:
+ date:
+ field: _ingest._value.end_of_life
+ tag: date_event_data_installed_software_end_of_life
+ target_field: _ingest._value.end_of_life
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ on_failure:
+ - remove:
+ field: _ingest._value.end_of_life
+ ignore_missing: true
+ - foreach:
+ field: json.event.data.installed_software
+ tag: foreach_event_data_installed_software_end_of_support
+ if: ctx.json?.event?.data?.installed_software instanceof List
+ processor:
+ date:
+ field: _ingest._value.end_of_support
+ tag: date_event_data_installed_software_end_of_support
+ target_field: _ingest._value.end_of_support
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ on_failure:
+ - remove:
+ field: _ingest._value.end_of_support
+ ignore_missing: true
+ - foreach:
+ field: json.event.data.installed_software
+ tag: foreach_event_data_installed_software_has_reached_end_of_life
+ if: ctx.json?.event?.data?.installed_software instanceof List
+ processor:
+ convert:
+ field: _ingest._value.has_reached_end_of_life
+ tag: convert_event_data_installed_software_has_reached_end_of_life_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.has_reached_end_of_life
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.installed_software
+ tag: foreach_event_data_installed_software_has_reached_end_of_support
+ if: ctx.json?.event?.data?.installed_software instanceof List
+ processor:
+ convert:
+ field: _ingest._value.has_reached_end_of_support
+ tag: convert_event_data_installed_software_has_reached_end_of_support_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.has_reached_end_of_support
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: json.event.data.installed_software
+ tag: foreach_event_data_installed_software_last_used_date
+ if: ctx.json?.event?.data?.installed_software instanceof List
+ processor:
+ date:
+ field: _ingest._value.last_used_date
+ tag: date_event_data_installed_software_last_used_date
+ target_field: _ingest._value.last_used_date
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ on_failure:
+ - remove:
+ field: _ingest._value.last_used_date
+ ignore_missing: true
+ - rename:
+ field: json.event.data.installed_software
+ tag: rename_event_data_installed_software
+ target_field: axonius.application.event.data.installed_software
+ ignore_missing: true
+ - date:
+ field: json.event.data.last_used_date
+ tag: date_event_data_last_used_date
+ target_field: axonius.application.event.data.last_used_date
+ formats:
+ - EEE, dd MMM yyyy HH:mm:ss 'GMT'
+ - yyyy-MM-dd
+ - EEE,dd MMM yyyy HH:mm:ss 'GMT'
+ if: ctx.json?.event?.data?.last_used_date != null && ctx.json.event.data.last_used_date != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.event.data.source
+ tag: rename_event_data_source
+ target_field: axonius.application.event.data.source
+ ignore_missing: true
+ - rename:
+ field: json.event.data.sub_category
+ tag: rename_event_data_sub_category
+ target_field: axonius.application.event.data.sub_category
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/application/fields/base-fields.yml b/packages/axonius/data_stream/application/fields/base-fields.yml
new file mode 100644
index 00000000000..a73f369a293
--- /dev/null
+++ b/packages/axonius/data_stream/application/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.dataset
+ external: ecs
+- name: data_stream.namespace
+ external: ecs
+- name: data_stream.type
+ external: ecs
+- name: event.dataset
+ type: constant_keyword
+ external: ecs
+ value: axonius.application
+- name: event.module
+ type: constant_keyword
+ external: ecs
+ value: axonius
+- name: '@timestamp'
+ external: ecs
diff --git a/packages/axonius/data_stream/application/fields/beats.yml b/packages/axonius/data_stream/application/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/axonius/data_stream/application/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/axonius/data_stream/application/fields/ecs.yml b/packages/axonius/data_stream/application/fields/ecs.yml
new file mode 100644
index 00000000000..e1d89be8ab4
--- /dev/null
+++ b/packages/axonius/data_stream/application/fields/ecs.yml
@@ -0,0 +1,5 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+ external: ecs
+ type: constant_keyword
+ value: Axonius
diff --git a/packages/axonius/data_stream/application/fields/fields.yml b/packages/axonius/data_stream/application/fields/fields.yml
new file mode 100644
index 00000000000..499a4583d7f
--- /dev/null
+++ b/packages/axonius/data_stream/application/fields/fields.yml
@@ -0,0 +1,1019 @@
+- name: axonius
+ type: group
+ fields:
+ - name: application
+ type: group
+ fields:
+ - name: _id
+ type: keyword
+ - name: adapter_list_length
+ type: long
+ - name: adapters
+ type: keyword
+ - name: asset_type
+ type: keyword
+ - name: event
+ type: group
+ fields:
+ - name: accurate_for_datetime
+ type: date
+ - name: action_if_exists
+ type: keyword
+ - name: adapter_categories
+ type: keyword
+ - name: associated_adapter_plugin_name
+ type: keyword
+ - name: association_type
+ type: keyword
+ - name: client_used
+ type: keyword
+ - name: data
+ type: group
+ fields:
+ - name: account_name
+ type: keyword
+ - name: accurate_for_datetime
+ type: date
+ - name: action
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: timestamp
+ type: date
+ - name: type
+ type: keyword
+ - name: active_licenses
+ type: long
+ - name: active_licenses_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: active_users
+ type: long
+ - name: active_users_saved_query_id
+ type: keyword
+ - name: activity_status
+ type: keyword
+ - name: activity_status_active
+ type: long
+ - name: activity_status_active_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: activity_status_inactive
+ type: long
+ - name: activity_status_inactive_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: actor
+ type: group
+ fields:
+ - name: username
+ type: keyword
+ - name: actor_state
+ type: group
+ fields:
+ - name: location
+ type: group
+ fields:
+ - name: country
+ type: keyword
+ - name: remote_ip
+ type: ip
+ - name: remote_ip
+ type: ip
+ - name: actual_renewal_date
+ type: date
+ - name: admin_non_operational_users
+ type: long
+ - name: admin_non_operational_users_saved_query_id
+ type: keyword
+ - name: admin_operational_active_users
+ type: long
+ - name: admin_operational_active_users_saved_query_id
+ type: keyword
+ - name: admin_operational_inactive_users
+ type: long
+ - name: admin_operational_inactive_users_saved_query_id
+ type: keyword
+ - name: admin_operational_users
+ type: long
+ - name: admin_operational_users_saved_query_id
+ type: keyword
+ - name: admins
+ type: long
+ - name: admins_saved_query_id
+ type: keyword
+ - name: affiliated_users
+ type: long
+ - name: affiliated_users_saved_query_id
+ type: keyword
+ - name: aggregated_extension_types
+ type: keyword
+ - name: amount
+ type: long
+ - name: app_id
+ type: keyword
+ - name: application_and_account_name
+ type: keyword
+ - name: application_resource_id
+ type: keyword
+ - name: application_resource_type
+ type: keyword
+ - name: application_type
+ type: keyword
+ - name: approval_status
+ type: keyword
+ - name: approval_status_meta
+ type: group
+ fields:
+ - name: last_modified
+ type: date
+ - name: last_modified_by
+ type: keyword
+ - name: software_name
+ type: keyword
+ - name: software_vendor
+ type: keyword
+ - name: source
+ type: keyword
+ - name: associated_license_users
+ type: group
+ fields:
+ - name: email
+ type: keyword
+ - name: internal_axon_id
+ type: keyword
+ - name: username
+ type: keyword
+ - name: associated_users
+ type: group
+ fields:
+ - name: user_activity_status
+ type: keyword
+ - name: username
+ type: keyword
+ - name: association_scope
+ type: keyword
+ - name: auth_type
+ type: keyword
+ - name: business_criticality
+ type: keyword
+ - name: business_owner
+ type: keyword
+ - name: categories
+ type: keyword
+ - name: category
+ type: keyword
+ - name: compliance
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: configuration_values
+ type: group
+ fields:
+ - name: configuration_value
+ type: keyword
+ - name: entity_remote_id
+ type: keyword
+ - name: is_valid
+ type: boolean
+ - name: name
+ type: keyword
+ - name: raw_setting_name
+ type: keyword
+ - name: recommendation
+ type: keyword
+ - name: role
+ type: group
+ fields:
+ - name: display_name
+ type: keyword
+ - name: remote_id
+ type: keyword
+ - name: value
+ type: keyword
+ - name: cost
+ type: double
+ - name: created
+ type: date
+ - name: custom_properties
+ type: group
+ fields:
+ - name: is_identity
+ type: boolean
+ - name: data_at_rest_encryption
+ type: boolean
+ - name: data_hold_IP
+ type: boolean
+ - name: data_hold_PII
+ type: boolean
+ - name: data_hold_customers_data
+ type: boolean
+ - name: data_transport_encryption
+ type: boolean
+ - name: deleted_users
+ type: long
+ - name: deleted_users_saved_query_id
+ type: keyword
+ - name: department
+ type: keyword
+ - name: description
+ type: keyword
+ - name: devices_count
+ type: long
+ - name: devices_count_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: comp_op
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logic_op
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: direct_not_sso_users
+ type: long
+ - name: direct_not_sso_users_saved_query_id
+ type: keyword
+ - name: discovery_indicators
+ type: keyword
+ - name: dns_discovered_users
+ type: long
+ - name: dns_discovered_users_saved_query_id
+ type: keyword
+ - name: domain
+ type: keyword
+ - name: employees_count
+ type: keyword
+ - name: end_date
+ type: date
+ - name: excessive_read
+ type: long
+ - name: excessive_read_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: excessive_write
+ type: long
+ - name: excessive_write_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: expense_amount
+ type: long
+ - name: expense_amount_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: extension_type
+ type: keyword
+ - name: external_users
+ type: double
+ - name: external_users_saved_query_id
+ type: keyword
+ - name: fetch_time
+ type: date
+ - name: first_fetch_time
+ type: date
+ - name: first_seen
+ type: date
+ - name: founding_year
+ type: keyword
+ - name: from_last_fetch
+ type: boolean
+ - name: funds_raised
+ type: keyword
+ - name: generated_from_entities
+ type: keyword
+ - name: grant_types
+ type: keyword
+ - name: hints
+ type: keyword
+ - name: hq
+ type: keyword
+ - name: id
+ type: keyword
+ - name: id_raw
+ type: keyword
+ - name: impact
+ type: keyword
+ - name: inactive_licenses
+ type: long
+ - name: inactive_licenses_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: inactive_users
+ type: long
+ - name: inactive_users_saved_query_id
+ type: keyword
+ - name: install_status
+ type: keyword
+ - name: installed_software
+ type: group
+ fields:
+ - name: end_of_life
+ type: date
+ - name: end_of_support
+ type: date
+ - name: generated_cpe
+ type: keyword
+ - name: has_reached_end_of_life
+ type: boolean
+ - name: has_reached_end_of_support
+ type: boolean
+ - name: last_used_date
+ type: date
+ - name: name
+ type: keyword
+ - name: name_version
+ type: keyword
+ - name: publisher
+ type: keyword
+ - name: source
+ type: keyword
+ - name: sw_uid
+ type: keyword
+ - name: vendor
+ type: keyword
+ - name: vendor_publisher
+ type: keyword
+ - name: version
+ type: keyword
+ - name: version_raw
+ type: keyword
+ - name: installed_sw
+ type: keyword
+ - name: integration_type
+ type: keyword
+ - name: is_active_license
+ type: boolean
+ - name: is_active_license_from_adapter
+ type: boolean
+ - name: is_adapter_exists
+ type: boolean
+ - name: is_admin
+ type: long
+ - name: is_admin_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: is_discovered
+ type: boolean
+ - name: is_excluded
+ type: boolean
+ - name: is_fetched_from_adapter
+ type: boolean
+ - name: is_from_axonius_catalog
+ type: boolean
+ - name: is_identity
+ type: long
+ - name: is_identity_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: is_managed
+ type: boolean
+ - name: is_managed_by_connected_app
+ type: boolean
+ - name: is_managed_by_sso
+ type: boolean
+ - name: is_managed_or_admin_consent
+ type: boolean
+ - name: is_managed_or_bookmark
+ type: boolean
+ - name: is_managed_or_bookmark_or_admin_consent
+ type: boolean
+ - name: is_operational
+ type: boolean
+ - name: it_application_owner
+ type: keyword
+ - name: last_access
+ type: date
+ - name: last_enrichment_run
+ type: date
+ - name: last_fetch_connection_id
+ type: keyword
+ - name: last_fetch_connection_label
+ type: keyword
+ - name: last_seen
+ type: date
+ - name: last_used
+ type: date
+ - name: last_used_date
+ type: date
+ - name: level
+ type: keyword
+ - name: license_cost
+ type: double
+ - name: license_cost_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: license_estimated_monthly_cost
+ type: double
+ - name: license_estimated_yearly_cost
+ type: double
+ - name: license_name
+ type: keyword
+ - name: license_status
+ type: keyword
+ - name: license_type
+ type: keyword
+ - name: link
+ type: keyword
+ - name: link_path
+ type: keyword
+ - name: managed_by
+ type: keyword
+ - name: managed_non_operational_users
+ type: long
+ - name: managed_non_operational_users_saved_query_id
+ type: keyword
+ - name: managed_operational_users
+ type: long
+ - name: managed_operational_users_saved_query_id
+ type: keyword
+ - name: managed_users
+ type: long
+ - name: managed_users_by_app
+ type: long
+ - name: managed_users_by_app_saved_query_id
+ type: keyword
+ - name: managed_users_by_sso
+ type: long
+ - name: managed_users_by_sso_saved_query_id
+ type: keyword
+ - name: managed_users_saved_query_id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: never_accessed
+ type: boolean
+ - name: not_fetched_count
+ type: long
+ - name: number
+ type: keyword
+ - name: number_of_active_associated_users
+ type: long
+ - name: number_of_associated_users
+ type: long
+ - name: number_of_inactive_associated_users
+ type: long
+ - name: operational_status
+ type: keyword
+ - name: orphaned_users
+ type: long
+ - name: orphaned_users_saved_query_id
+ type: keyword
+ - name: owner
+ type: keyword
+ - name: paid_users
+ type: long
+ - name: paid_users_saved_query_id
+ type: keyword
+ - name: parent_company
+ type: keyword
+ - name: permissions
+ type: group
+ fields:
+ - name: alias
+ type: keyword
+ - name: hash_id
+ type: keyword
+ - name: is_admin
+ type: boolean
+ - name: name
+ type: keyword
+ - name: scope_tag
+ type: keyword
+ - name: users_amount
+ type: long
+ - name: policy_DPA
+ type: keyword
+ - name: policy_password_policy
+ type: keyword
+ - name: policy_privacy_policy
+ type: keyword
+ - name: policy_security_policy
+ type: keyword
+ - name: policy_termination_notice
+ type: keyword
+ - name: policy_user_terms
+ type: keyword
+ - name: possible_savings_of_inactive_associated_users
+ type: double
+ - name: pretty_id
+ type: keyword
+ - name: pricing_unit
+ type: keyword
+ - name: product_name
+ type: keyword
+ - name: public
+ type: keyword
+ - name: quantity
+ type: long
+ - name: raw_setting_name
+ type: keyword
+ - name: raw_setting_value
+ type: keyword
+ - name: recommendation
+ type: keyword
+ - name: recommendation_description
+ type: keyword
+ - name: recommendations
+ type: group
+ fields:
+ - name: description
+ type: keyword
+ - name: name
+ type: keyword
+ - name: quantity
+ type: long
+ - name: quantity_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: long
+ - name: remediation
+ type: keyword
+ - name: severity
+ type: keyword
+ - name: redirect_uris
+ type: keyword
+ - name: related_user
+ type: group
+ fields:
+ - name: email
+ type: keyword
+ - name: full_name
+ type: flattened
+ - name: remote_id
+ type: keyword
+ - name: username
+ type: keyword
+ - name: related_vendor_name
+ type: keyword
+ - name: remote_id
+ type: keyword
+ - name: risk
+ type: keyword
+ - name: role
+ type: group
+ fields:
+ - name: display_name
+ type: keyword
+ - name: remote_id
+ type: keyword
+ - name: scope_tag_calendar
+ type: long
+ - name: scope_tag_calendar_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: scope_tag_drive
+ type: long
+ - name: scope_tag_drive_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: scope_tag_mail
+ type: long
+ - name: scope_tag_mail_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: security_MFA
+ type: boolean
+ - name: security_SSO
+ type: boolean
+ - name: security_bug_bounty
+ type: boolean
+ - name: security_email_for_issues
+ type: keyword
+ - name: setting_description
+ type: keyword
+ - name: setting_name
+ type: keyword
+ - name: setting_type
+ type: keyword
+ - name: settings_score
+ type: double
+ - name: settings_status
+ type: keyword
+ - name: short_description
+ type: keyword
+ - name: sm_entity_type
+ type: keyword
+ - name: source
+ type: keyword
+ - name: source_application
+ type: keyword
+ - name: standards
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: sections
+ type: keyword
+ - name: version
+ type: keyword
+ - name: start_date
+ type: date
+ - name: sub_category
+ type: keyword
+ - name: subscription_term
+ type: keyword
+ - name: suspended_users
+ type: long
+ - name: suspended_users_saved_query_id
+ type: keyword
+ - name: tenant_number
+ type: keyword
+ - name: total_accounts
+ type: long
+ - name: total_expenses_by_adapter_connection
+ type: group
+ fields:
+ - name: amount
+ type: long
+ - name: connection_label
+ type: keyword
+ - name: total_misconfigured_settings
+ type: long
+ - name: transaction_time
+ type: date
+ - name: type
+ type: keyword
+ - name: unit_price
+ type: double
+ - name: unlinked_users
+ type: long
+ - name: unlinked_users_saved_query_id
+ type: keyword
+ - name: unmanaged_users
+ type: long
+ - name: unmanaged_users_device_software_only
+ type: long
+ - name: unmanaged_users_device_software_only_saved_query_id
+ type: keyword
+ - name: unmanaged_users_saved_query_id
+ type: keyword
+ - name: upcoming_renewals
+ type: long
+ - name: urls
+ type: keyword
+ - name: used_as_override
+ type: boolean
+ - name: user_account
+ type: group
+ fields:
+ - name: email
+ type: keyword
+ - name: remote_id
+ type: keyword
+ - name: username
+ type: keyword
+ - name: user_count
+ type: long
+ - name: user_count_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: user_email
+ type: keyword
+ - name: user_extensions_used_by_app
+ type: long
+ - name: username_formats
+ type: keyword
+ - name: users_amount
+ type: long
+ - name: vendor_category
+ type: keyword
+ - name: vendor_documentation
+ type: keyword
+ - name: vendor_setting
+ type: group
+ fields:
+ - name: _id
+ type: keyword
+ - name: documentation_link
+ type: keyword
+ - name: exceptions
+ type: group
+ fields:
+ - name: level
+ type: keyword
+ - name: link
+ type: keyword
+ - name: link_path
+ type: keyword
+ - name: raw_setting_name
+ type: keyword
+ - name: raw_setting_value_type
+ type: keyword
+ - name: setting_id
+ type: keyword
+ - name: is_relevant
+ type: boolean
+ - name: lambda_name
+ type: keyword
+ - name: lambda_variable
+ type: keyword
+ - name: level
+ type: keyword
+ - name: link
+ type: keyword
+ - name: link_path
+ type: keyword
+ - name: product
+ type: keyword
+ - name: raw_setting_name
+ type: keyword
+ - name: raw_setting_value_type
+ type: keyword
+ - name: raw_validation_rule
+ type: keyword
+ - name: recommendation_reason
+ type: keyword
+ - name: scope
+ type: keyword
+ - name: setting_description
+ type: keyword
+ - name: xsetting
+ type: group
+ fields:
+ - name: _id
+ type: keyword
+ - name: impact
+ type: long
+ - name: setting_type
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: xsetting_name
+ type: keyword
+ - name: vendors_application_category
+ type: keyword
+ - name: entity
+ type: keyword
+ - name: hidden_for_gui
+ type: boolean
+ - name: initial_plugin_unique_name
+ type: keyword
+ - name: name
+ type: keyword
+ - name: plugin_name
+ type: keyword
+ - name: plugin_type
+ type: keyword
+ - name: plugin_unique_name
+ type: keyword
+ - name: quick_id
+ type: keyword
+ - name: type
+ type: keyword
+ - name: internal_axon_id
+ type: keyword
+ - name: labels
+ type: keyword
+ - name: transform_unique_id
+ type: keyword
diff --git a/packages/axonius/data_stream/application/fields/is-transform-source-true.yml b/packages/axonius/data_stream/application/fields/is-transform-source-true.yml
new file mode 100644
index 00000000000..367ed8d40c6
--- /dev/null
+++ b/packages/axonius/data_stream/application/fields/is-transform-source-true.yml
@@ -0,0 +1,4 @@
+- name: labels.is_transform_source
+ type: constant_keyword
+ description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.
+ value: 'true'
diff --git a/packages/axonius/data_stream/application/lifecycle.yml b/packages/axonius/data_stream/application/lifecycle.yml
new file mode 100644
index 00000000000..f7b0d98d5aa
--- /dev/null
+++ b/packages/axonius/data_stream/application/lifecycle.yml
@@ -0,0 +1 @@
+data_retention: '30d'
diff --git a/packages/axonius/data_stream/application/manifest.yml b/packages/axonius/data_stream/application/manifest.yml
new file mode 100644
index 00000000000..5cc52c49f8c
--- /dev/null
+++ b/packages/axonius/data_stream/application/manifest.yml
@@ -0,0 +1,72 @@
+title: Application
+type: logs
+ilm_policy: logs-axonius.application-default_policy
+streams:
+ - input: cel
+ title: Application
+ description: Collect Application logs from Axonius.
+ template_path: cel.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval
+ description: Duration between requests to the Axonius API. Supported units for this parameter are h/m/s.
+ multi: false
+ required: true
+ show_user: true
+ default: 24h
+ - name: batch_size
+ type: integer
+ title: Batch Size
+ description: Batch size for the response of the Axonius API. The batch size can range from a minimum of 1 to a maximum of 2000.
+ default: 2000
+ multi: false
+ required: true
+ show_user: true
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ default: false
+ required: false
+ show_user: false
+ description: >-
+ The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
+ Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
+ tracer will delete any stored traces.
+ See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
+ for details.
+ - name: tags
+ type: text
+ title: Tags
+ description: Tags for the data-stream.
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - axonius-application
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+ multi: false
+ required: true
+ show_user: false
+ default: 5m
+ - name: preserve_duplicate_custom_fields
+ required: false
+ title: Preserve duplicate custom fields
+ description: Preserve axonius.application.* fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ show_user: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
diff --git a/packages/axonius/data_stream/application/sample_event.json b/packages/axonius/data_stream/application/sample_event.json
new file mode 100644
index 00000000000..5b415d5cc83
--- /dev/null
+++ b/packages/axonius/data_stream/application/sample_event.json
@@ -0,0 +1,107 @@
+{
+ "@timestamp": "2025-12-17T00:02:48.000Z",
+ "agent": {
+ "ephemeral_id": "13f676d4-a77b-4ca2-95d1-d41601832bee",
+ "id": "73b42a7a-42bd-4078-a36d-9067c8d30e0c",
+ "name": "elastic-agent-28033",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "axonius": {
+ "application": {
+ "adapter_list_length": 1,
+ "adapters": [
+ "expenses_csv_adapter"
+ ],
+ "asset_type": "expenses",
+ "event": {
+ "accurate_for_datetime": "2025-12-17T00:02:48.000Z",
+ "adapter_categories": [
+ "SaaS Management"
+ ],
+ "client_used": "67fd09f23c68ed1b541bb4bb",
+ "data": {
+ "accurate_for_datetime": "2025-12-17T00:02:48.000Z",
+ "amount": 360,
+ "application_and_account_name": "csv - expenses/expenses_csv-demo",
+ "department": "R&D",
+ "fetch_time": "2025-12-17T00:02:48.000Z",
+ "first_fetch_time": "2025-12-14T16:50:44.000Z",
+ "from_last_fetch": true,
+ "id": "a24384edf8e865475c10",
+ "id_raw": "10bf1488-dd28-4189-9d46-5b887dcbf47c",
+ "is_fetched_from_adapter": true,
+ "last_fetch_connection_id": "67fd09f23c68ed1b541bb4bb",
+ "last_fetch_connection_label": "expenses_csv-demo",
+ "not_fetched_count": 0,
+ "pretty_id": "AX-2427031329160723459",
+ "related_user": {
+ "email": "tomi.lynch@demo.local",
+ "remote_id": "62a204d1-6f2a-4cc0-a740-ed17a61bdcbd",
+ "username": "tomi.lynch@demo.local"
+ },
+ "related_vendor_name": "Salesforce",
+ "sm_entity_type": "expense",
+ "source_application": "CSV - Expenses",
+ "tenant_number": [
+ "2"
+ ],
+ "transaction_time": "2025-07-28T14:31:35.000Z",
+ "type": "Expenses",
+ "user_email": "tomi.lynch@demo.local",
+ "vendor_category": "Productivity"
+ },
+ "initial_plugin_unique_name": "expenses_csv_adapter_0",
+ "plugin_name": "expenses_csv_adapter",
+ "plugin_type": "Adapter",
+ "plugin_unique_name": "expenses_csv_adapter_0",
+ "quick_id": "expenses_csv_adapter_0!a24384edf8e865475c10",
+ "type": "entitydata"
+ },
+ "internal_axon_id": "21ae8c22895e7c031b589896f694d2d7"
+ }
+ },
+ "data_stream": {
+ "dataset": "axonius.application",
+ "namespace": "25326",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "elastic_agent": {
+ "id": "73b42a7a-42bd-4078-a36d-9067c8d30e0c",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "dataset": "axonius.application",
+ "id": "a24384edf8e865475c10",
+ "ingested": "2025-12-19T13:04:53Z",
+ "kind": "event",
+ "original": "{\"adapter_list_length\":1,\"adapters\":[\"expenses_csv_adapter\"],\"asset_type\":\"expenses\",\"event\":{\"accurate_for_datetime\":\"Wed, 17 Dec 2025 00:02:48 GMT\",\"adapter_categories\":[\"SaaS Management\"],\"client_used\":\"67fd09f23c68ed1b541bb4bb\",\"data\":{\"accurate_for_datetime\":\"Wed, 17 Dec 2025 00:02:48 GMT\",\"amount\":360,\"application_and_account_name\":\"csv - expenses/expenses_csv-demo\",\"department\":\"R\\u0026D\",\"fetch_time\":\"Wed, 17 Dec 2025 00:02:48 GMT\",\"first_fetch_time\":\"Sun, 14 Dec 2025 16:50:44 GMT\",\"from_last_fetch\":true,\"id\":\"a24384edf8e865475c10\",\"id_raw\":\"10bf1488-dd28-4189-9d46-5b887dcbf47c\",\"is_fetched_from_adapter\":true,\"last_fetch_connection_id\":\"67fd09f23c68ed1b541bb4bb\",\"last_fetch_connection_label\":\"expenses_csv-demo\",\"not_fetched_count\":0,\"pretty_id\":\"AX-2427031329160723459\",\"related_user\":{\"email\":\"tomi.lynch@demo.local\",\"full_name\":{},\"remote_id\":\"62a204d1-6f2a-4cc0-a740-ed17a61bdcbd\",\"username\":\"tomi.lynch@demo.local\"},\"related_vendor_name\":\"Salesforce\",\"sm_entity_type\":\"expense\",\"source_application\":\"CSV - Expenses\",\"tenant_number\":[\"2\"],\"transaction_time\":\"Mon, 28 Jul 2025 14:31:35 GMT\",\"type\":\"Expenses\",\"user_email\":\"tomi.lynch@demo.local\",\"vendor_category\":\"Productivity\"},\"initial_plugin_unique_name\":\"expenses_csv_adapter_0\",\"plugin_name\":\"expenses_csv_adapter\",\"plugin_type\":\"Adapter\",\"plugin_unique_name\":\"expenses_csv_adapter_0\",\"quick_id\":\"expenses_csv_adapter_0!a24384edf8e865475c10\",\"type\":\"entitydata\"},\"internal_axon_id\":\"21ae8c22895e7c031b589896f694d2d7\"}",
+ "start": "2025-07-28T14:31:35.000Z"
+ },
+ "input": {
+ "type": "cel"
+ },
+ "related": {
+ "user": [
+ "tomi.lynch@demo.local",
+ "62a204d1-6f2a-4cc0-a740-ed17a61bdcbd"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "axonius-application"
+ ],
+ "user": {
+ "domain": "demo.local",
+ "email": "tomi.lynch@demo.local",
+ "id": "62a204d1-6f2a-4cc0-a740-ed17a61bdcbd",
+ "name": "tomi.lynch@demo.local"
+ }
+}
diff --git a/packages/axonius/docs/README.md b/packages/axonius/docs/README.md
new file mode 100644
index 00000000000..0f6903ca9d6
--- /dev/null
+++ b/packages/axonius/docs/README.md
@@ -0,0 +1,181 @@
+# Axonius Integration for Elastic
+
+## Overview
+
+[Axonius](https://www.axonius.com/) is a cybersecurity asset management platform that automatically collects data from hundreds of IT and security tools through adapters, merges that information, and builds a unified inventory of all assets including devices, users, SaaS apps, cloud instances, and more. By correlating data from multiple systems, Axonius helps organizations identify visibility gaps, missing security controls, risky configurations, and compliance issues. It lets you create powerful queries to answer any security or IT question and automate actions such as sending alerts, creating tickets, or enforcing policies.
+
+This integration for Elastic allows you to collect assets and security events data using the Axonius API, then visualize the data in Kibana.
+
+### Compatibility
+The Axonius integration is compatible with product version **7.0**.
+
+### How it works
+This integration periodically queries the Axonius API to retrieve logs.
+
+## What data does this integration collect?
+This integration collects log messages of the following type:
+
+- `Application`: Collect details of all application assets including:
+ - software (endpoint: `/api/v2/software`)
+ - saas_applications (endpoint: `/api/v2/saas_applications`)
+ - application_settings (endpoint: `/api/v2/application_settings`)
+ - licenses (endpoint: `/api/v2/licenses`)
+ - expenses (endpoint: `/api/v2/expenses`)
+ - admin_managed_extensions (endpoint: `/api/v2/admin_managed_extensions`)
+ - user_initiated_extensions (endpoint: `/api/v2/user_initiated_extensions`)
+ - application_addons (endpoint: `/api/v2/application_addons`)
+ - admin_managed_extension_instances (endpoint: `/api/v2/admin_managed_extension_instances`)
+ - user_initiated_extension_instances (endpoint: `/api/v2/user_initiated_extension_instances`)
+ - application_addon_instances (endpoint: `/api/v2/application_addon_instances`)
+ - application_keys (endpoint: `/api/v2/application_keys`)
+ - audit_activities (endpoint: `/api/v2/audit_activities`)
+ - business_applications (endpoint: `/api/v2/business_applications`)
+ - urls (endpoint: `/api/v2/urls`)
+ - application_services (endpoint: `/api/v2/application_services`)
+ - application_resources (endpoint: `/api/v2/application_resources`)
+ - secrets (endpoint: `/api/v2/secrets`)
+
+### Supported use cases
+
+Integrating the Axonius Application Datastream with Elastic SIEM provides clear visibility into application related activity and usage across the environment. This datastream helps analysts understand how business applications and installed software are being used, where activity is occurring, and which applications are most active or impactful.
+
+It offers consolidated views of business applications, installed software, sources, users, and domains, enabling teams to quickly validate application activity, assess risk especially for SaaS applications and understand how events are distributed across asset types and actions. Time based trends and activity status insights help identify spikes, dormant applications, or unusual behavior patterns.
+
+These insights enable organizations to monitor application usage, detect risky or unauthorized application activity, maintain accurate application inventories, and support investigations where application related context is critical.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From Axonius
+
+To collect data through the Axonius APIs, you need to provide the **URL**, **API Key** and **API Secret**. Authentication is handled using the **API Key** and **API Secret**, which serves as the required credential.
+
+#### Retrieve URL, API Token and API Secret:
+
+1. Log in to the **Axonius** instance.
+2. Your instance URL is your Base **URL**.
+3. Navigate to **User Settings > API Key**.
+4. Generate an **API Key**.
+5. If you do not see the API Key tab in your user settings, follow these steps:
+ 1. Go to **System Settings** > **User and Role Management** > **Service Accounts**.
+ 2. Create a Service Account, and then generate an **API Key**.
+6. Copy both values including **API Key and Secret Key** and store them securely for use in the Integration configuration.
+
+**Note:**
+To generate or reset an API key, your role must be **Admin**, and you must have **API Access** permissions, which include **API Access Enabled** and **Reset API Key**.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Agentless deployment
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it.
+
+For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html)
+
+### Configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Axonius**.
+3. Select the **Axonius** integration from the search results.
+4. Select **Add Axonius** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+ * To **Collect logs from Axonius API**, you'll need to:
+
+ - Configure **URL**, **API Key** and **API Secret**.
+ - Adjust the integration configuration parameters if required, including the Interval, HTTP Client Timeout etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Axonius**, and verify the dashboard information is populated.
+
+#### Transforms healthy
+
+1. In the top search bar in Kibana, search for **Transforms**.
+2. Select the **Data / Transforms** from the search results.
+3. In the search bar, type **Axonius**.
+4. All transforms from the search results should indicate **Healthy** under the **Health** column.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+
+### Inputs used
+
+These inputs can be used with this integration:
+
+cel
+
+## Setup
+
+For more details about the CEL input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html).
+
+Before configuring the CEL input, make sure you have:
+- Network connectivity to the target API endpoint
+- Valid authentication credentials (API keys, tokens, or certificates as required)
+- Appropriate permissions to read from the target data source
+
+### Collecting logs from CEL
+
+To configure the CEL input, you must specify the `request.url` value pointing to the API endpoint. The interval parameter controls how frequently requests are made and is the primary way to balance data freshness with API rate limits and costs. Authentication is often configured through the `request.headers` section using the appropriate method for the service.
+
+NOTE: To access the API service, make sure you have the necessary API credentials and that the Filebeat instance can reach the endpoint URL. Some services may require IP whitelisting or VPN access.
+
+To collect logs via API endpoint, configure the following parameters:
+
+- API Endpoint URL
+- API credentials (tokens, keys, or username/password)
+- Request interval (how often to fetch data)
+
+
+
+### API usage
+
+These APIs are used with this integration:
+
+* Application:
+ * software (endpoint: `/api/v2/software`)
+ * saas_applications (endpoint: `/api/v2/saas_applications`)
+ * application_settings (endpoint: `/api/v2/application_settings`)
+ * licenses (endpoint: `/api/v2/licenses`)
+ * expenses (endpoint: `/api/v2/expenses`)
+ * admin_managed_extensions (endpoint: `/api/v2/admin_managed_extensions`)
+ * user_initiated_extensions (endpoint: `/api/v2/user_initiated_extensions`)
+ * application_addons (endpoint: `/api/v2/application_addons`)
+ * admin_managed_extension_instances (endpoint: `/api/v2/admin_managed_extension_instances`)
+ * user_initiated_extension_instances (endpoint: `/api/v2/user_initiated_extension_instances`)
+ * application_addon_instances (endpoint: `/api/v2/application_addon_instances`)
+ * application_keys (endpoint: `/api/v2/application_keys`)
+ * audit_activities (endpoint: `/api/v2/audit_activities`)
+ * business_applications (endpoint: `/api/v2/business_applications`)
+ * urls (endpoint: `/api/v2/urls`)
+ * application_services (endpoint: `/api/v2/application_services`)
+ * application_resources (endpoint: `/api/v2/application_resources`)
+ * secrets (endpoint: `/api/v2/secrets`)
+
+#### ILM Policy
+
+To facilitate application data, source data stream-backed indices `.ds-logs-axonius.application-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-axonius.application-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date.
\ No newline at end of file
diff --git a/packages/axonius/elasticsearch/transform/latest_application/fields/base-fields.yml b/packages/axonius/elasticsearch/transform/latest_application/fields/base-fields.yml
new file mode 100644
index 00000000000..2ba00c796ff
--- /dev/null
+++ b/packages/axonius/elasticsearch/transform/latest_application/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+ external: ecs
+- name: data_stream.dataset
+ external: ecs
+- name: data_stream.namespace
+ external: ecs
+- name: event.module
+ type: constant_keyword
+ external: ecs
+ value: axonius
+- name: event.dataset
+ type: constant_keyword
+ external: ecs
+ value: axonius.application
+- name: '@timestamp'
+ external: ecs
diff --git a/packages/axonius/elasticsearch/transform/latest_application/fields/beats.yml b/packages/axonius/elasticsearch/transform/latest_application/fields/beats.yml
new file mode 100644
index 00000000000..d5fd38748ba
--- /dev/null
+++ b/packages/axonius/elasticsearch/transform/latest_application/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/axonius/elasticsearch/transform/latest_application/fields/ecs.yml b/packages/axonius/elasticsearch/transform/latest_application/fields/ecs.yml
new file mode 100644
index 00000000000..38f44d72192
--- /dev/null
+++ b/packages/axonius/elasticsearch/transform/latest_application/fields/ecs.yml
@@ -0,0 +1,64 @@
+- external: ecs
+ name: agent.ephemeral_id
+- external: ecs
+ name: agent.id
+- external: ecs
+ name: agent.name
+- external: ecs
+ name: agent.type
+- external: ecs
+ name: agent.version
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.code
+- external: ecs
+ name: error.id
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.action
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.end
+- external: ecs
+ name: event.ingested
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.start
+- external: ecs
+ name: host.domain
+- external: ecs
+ name: host.geo.country_name
+- external: ecs
+ name: message
+- external: ecs
+ name: observer.vendor
+ type: constant_keyword
+ value: Axonius
+- external: ecs
+ name: related.hosts
+- external: ecs
+ name: related.ip
+- external: ecs
+ name: related.user
+- external: ecs
+ name: rule.description
+- external: ecs
+ name: rule.id
+- external: ecs
+ name: rule.name
+- external: ecs
+ name: rule.reference
+- external: ecs
+ name: rule.ruleset
+- external: ecs
+ name: service.type
+- external: ecs
+ name: user.email
+- external: ecs
+ name: user.id
+- external: ecs
+ name: user.name
diff --git a/packages/axonius/elasticsearch/transform/latest_application/fields/fields.yml b/packages/axonius/elasticsearch/transform/latest_application/fields/fields.yml
new file mode 100644
index 00000000000..499a4583d7f
--- /dev/null
+++ b/packages/axonius/elasticsearch/transform/latest_application/fields/fields.yml
@@ -0,0 +1,1019 @@
+- name: axonius
+ type: group
+ fields:
+ - name: application
+ type: group
+ fields:
+ - name: _id
+ type: keyword
+ - name: adapter_list_length
+ type: long
+ - name: adapters
+ type: keyword
+ - name: asset_type
+ type: keyword
+ - name: event
+ type: group
+ fields:
+ - name: accurate_for_datetime
+ type: date
+ - name: action_if_exists
+ type: keyword
+ - name: adapter_categories
+ type: keyword
+ - name: associated_adapter_plugin_name
+ type: keyword
+ - name: association_type
+ type: keyword
+ - name: client_used
+ type: keyword
+ - name: data
+ type: group
+ fields:
+ - name: account_name
+ type: keyword
+ - name: accurate_for_datetime
+ type: date
+ - name: action
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: timestamp
+ type: date
+ - name: type
+ type: keyword
+ - name: active_licenses
+ type: long
+ - name: active_licenses_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: active_users
+ type: long
+ - name: active_users_saved_query_id
+ type: keyword
+ - name: activity_status
+ type: keyword
+ - name: activity_status_active
+ type: long
+ - name: activity_status_active_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: activity_status_inactive
+ type: long
+ - name: activity_status_inactive_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: actor
+ type: group
+ fields:
+ - name: username
+ type: keyword
+ - name: actor_state
+ type: group
+ fields:
+ - name: location
+ type: group
+ fields:
+ - name: country
+ type: keyword
+ - name: remote_ip
+ type: ip
+ - name: remote_ip
+ type: ip
+ - name: actual_renewal_date
+ type: date
+ - name: admin_non_operational_users
+ type: long
+ - name: admin_non_operational_users_saved_query_id
+ type: keyword
+ - name: admin_operational_active_users
+ type: long
+ - name: admin_operational_active_users_saved_query_id
+ type: keyword
+ - name: admin_operational_inactive_users
+ type: long
+ - name: admin_operational_inactive_users_saved_query_id
+ type: keyword
+ - name: admin_operational_users
+ type: long
+ - name: admin_operational_users_saved_query_id
+ type: keyword
+ - name: admins
+ type: long
+ - name: admins_saved_query_id
+ type: keyword
+ - name: affiliated_users
+ type: long
+ - name: affiliated_users_saved_query_id
+ type: keyword
+ - name: aggregated_extension_types
+ type: keyword
+ - name: amount
+ type: long
+ - name: app_id
+ type: keyword
+ - name: application_and_account_name
+ type: keyword
+ - name: application_resource_id
+ type: keyword
+ - name: application_resource_type
+ type: keyword
+ - name: application_type
+ type: keyword
+ - name: approval_status
+ type: keyword
+ - name: approval_status_meta
+ type: group
+ fields:
+ - name: last_modified
+ type: date
+ - name: last_modified_by
+ type: keyword
+ - name: software_name
+ type: keyword
+ - name: software_vendor
+ type: keyword
+ - name: source
+ type: keyword
+ - name: associated_license_users
+ type: group
+ fields:
+ - name: email
+ type: keyword
+ - name: internal_axon_id
+ type: keyword
+ - name: username
+ type: keyword
+ - name: associated_users
+ type: group
+ fields:
+ - name: user_activity_status
+ type: keyword
+ - name: username
+ type: keyword
+ - name: association_scope
+ type: keyword
+ - name: auth_type
+ type: keyword
+ - name: business_criticality
+ type: keyword
+ - name: business_owner
+ type: keyword
+ - name: categories
+ type: keyword
+ - name: category
+ type: keyword
+ - name: compliance
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: configuration_values
+ type: group
+ fields:
+ - name: configuration_value
+ type: keyword
+ - name: entity_remote_id
+ type: keyword
+ - name: is_valid
+ type: boolean
+ - name: name
+ type: keyword
+ - name: raw_setting_name
+ type: keyword
+ - name: recommendation
+ type: keyword
+ - name: role
+ type: group
+ fields:
+ - name: display_name
+ type: keyword
+ - name: remote_id
+ type: keyword
+ - name: value
+ type: keyword
+ - name: cost
+ type: double
+ - name: created
+ type: date
+ - name: custom_properties
+ type: group
+ fields:
+ - name: is_identity
+ type: boolean
+ - name: data_at_rest_encryption
+ type: boolean
+ - name: data_hold_IP
+ type: boolean
+ - name: data_hold_PII
+ type: boolean
+ - name: data_hold_customers_data
+ type: boolean
+ - name: data_transport_encryption
+ type: boolean
+ - name: deleted_users
+ type: long
+ - name: deleted_users_saved_query_id
+ type: keyword
+ - name: department
+ type: keyword
+ - name: description
+ type: keyword
+ - name: devices_count
+ type: long
+ - name: devices_count_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: comp_op
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logic_op
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: direct_not_sso_users
+ type: long
+ - name: direct_not_sso_users_saved_query_id
+ type: keyword
+ - name: discovery_indicators
+ type: keyword
+ - name: dns_discovered_users
+ type: long
+ - name: dns_discovered_users_saved_query_id
+ type: keyword
+ - name: domain
+ type: keyword
+ - name: employees_count
+ type: keyword
+ - name: end_date
+ type: date
+ - name: excessive_read
+ type: long
+ - name: excessive_read_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: excessive_write
+ type: long
+ - name: excessive_write_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: expense_amount
+ type: long
+ - name: expense_amount_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: extension_type
+ type: keyword
+ - name: external_users
+ type: double
+ - name: external_users_saved_query_id
+ type: keyword
+ - name: fetch_time
+ type: date
+ - name: first_fetch_time
+ type: date
+ - name: first_seen
+ type: date
+ - name: founding_year
+ type: keyword
+ - name: from_last_fetch
+ type: boolean
+ - name: funds_raised
+ type: keyword
+ - name: generated_from_entities
+ type: keyword
+ - name: grant_types
+ type: keyword
+ - name: hints
+ type: keyword
+ - name: hq
+ type: keyword
+ - name: id
+ type: keyword
+ - name: id_raw
+ type: keyword
+ - name: impact
+ type: keyword
+ - name: inactive_licenses
+ type: long
+ - name: inactive_licenses_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: inactive_users
+ type: long
+ - name: inactive_users_saved_query_id
+ type: keyword
+ - name: install_status
+ type: keyword
+ - name: installed_software
+ type: group
+ fields:
+ - name: end_of_life
+ type: date
+ - name: end_of_support
+ type: date
+ - name: generated_cpe
+ type: keyword
+ - name: has_reached_end_of_life
+ type: boolean
+ - name: has_reached_end_of_support
+ type: boolean
+ - name: last_used_date
+ type: date
+ - name: name
+ type: keyword
+ - name: name_version
+ type: keyword
+ - name: publisher
+ type: keyword
+ - name: source
+ type: keyword
+ - name: sw_uid
+ type: keyword
+ - name: vendor
+ type: keyword
+ - name: vendor_publisher
+ type: keyword
+ - name: version
+ type: keyword
+ - name: version_raw
+ type: keyword
+ - name: installed_sw
+ type: keyword
+ - name: integration_type
+ type: keyword
+ - name: is_active_license
+ type: boolean
+ - name: is_active_license_from_adapter
+ type: boolean
+ - name: is_adapter_exists
+ type: boolean
+ - name: is_admin
+ type: long
+ - name: is_admin_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: is_discovered
+ type: boolean
+ - name: is_excluded
+ type: boolean
+ - name: is_fetched_from_adapter
+ type: boolean
+ - name: is_from_axonius_catalog
+ type: boolean
+ - name: is_identity
+ type: long
+ - name: is_identity_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: is_managed
+ type: boolean
+ - name: is_managed_by_connected_app
+ type: boolean
+ - name: is_managed_by_sso
+ type: boolean
+ - name: is_managed_or_admin_consent
+ type: boolean
+ - name: is_managed_or_bookmark
+ type: boolean
+ - name: is_managed_or_bookmark_or_admin_consent
+ type: boolean
+ - name: is_operational
+ type: boolean
+ - name: it_application_owner
+ type: keyword
+ - name: last_access
+ type: date
+ - name: last_enrichment_run
+ type: date
+ - name: last_fetch_connection_id
+ type: keyword
+ - name: last_fetch_connection_label
+ type: keyword
+ - name: last_seen
+ type: date
+ - name: last_used
+ type: date
+ - name: last_used_date
+ type: date
+ - name: level
+ type: keyword
+ - name: license_cost
+ type: double
+ - name: license_cost_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: license_estimated_monthly_cost
+ type: double
+ - name: license_estimated_yearly_cost
+ type: double
+ - name: license_name
+ type: keyword
+ - name: license_status
+ type: keyword
+ - name: license_type
+ type: keyword
+ - name: link
+ type: keyword
+ - name: link_path
+ type: keyword
+ - name: managed_by
+ type: keyword
+ - name: managed_non_operational_users
+ type: long
+ - name: managed_non_operational_users_saved_query_id
+ type: keyword
+ - name: managed_operational_users
+ type: long
+ - name: managed_operational_users_saved_query_id
+ type: keyword
+ - name: managed_users
+ type: long
+ - name: managed_users_by_app
+ type: long
+ - name: managed_users_by_app_saved_query_id
+ type: keyword
+ - name: managed_users_by_sso
+ type: long
+ - name: managed_users_by_sso_saved_query_id
+ type: keyword
+ - name: managed_users_saved_query_id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: never_accessed
+ type: boolean
+ - name: not_fetched_count
+ type: long
+ - name: number
+ type: keyword
+ - name: number_of_active_associated_users
+ type: long
+ - name: number_of_associated_users
+ type: long
+ - name: number_of_inactive_associated_users
+ type: long
+ - name: operational_status
+ type: keyword
+ - name: orphaned_users
+ type: long
+ - name: orphaned_users_saved_query_id
+ type: keyword
+ - name: owner
+ type: keyword
+ - name: paid_users
+ type: long
+ - name: paid_users_saved_query_id
+ type: keyword
+ - name: parent_company
+ type: keyword
+ - name: permissions
+ type: group
+ fields:
+ - name: alias
+ type: keyword
+ - name: hash_id
+ type: keyword
+ - name: is_admin
+ type: boolean
+ - name: name
+ type: keyword
+ - name: scope_tag
+ type: keyword
+ - name: users_amount
+ type: long
+ - name: policy_DPA
+ type: keyword
+ - name: policy_password_policy
+ type: keyword
+ - name: policy_privacy_policy
+ type: keyword
+ - name: policy_security_policy
+ type: keyword
+ - name: policy_termination_notice
+ type: keyword
+ - name: policy_user_terms
+ type: keyword
+ - name: possible_savings_of_inactive_associated_users
+ type: double
+ - name: pretty_id
+ type: keyword
+ - name: pricing_unit
+ type: keyword
+ - name: product_name
+ type: keyword
+ - name: public
+ type: keyword
+ - name: quantity
+ type: long
+ - name: raw_setting_name
+ type: keyword
+ - name: raw_setting_value
+ type: keyword
+ - name: recommendation
+ type: keyword
+ - name: recommendation_description
+ type: keyword
+ - name: recommendations
+ type: group
+ fields:
+ - name: description
+ type: keyword
+ - name: name
+ type: keyword
+ - name: quantity
+ type: long
+ - name: quantity_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: long
+ - name: remediation
+ type: keyword
+ - name: severity
+ type: keyword
+ - name: redirect_uris
+ type: keyword
+ - name: related_user
+ type: group
+ fields:
+ - name: email
+ type: keyword
+ - name: full_name
+ type: flattened
+ - name: remote_id
+ type: keyword
+ - name: username
+ type: keyword
+ - name: related_vendor_name
+ type: keyword
+ - name: remote_id
+ type: keyword
+ - name: risk
+ type: keyword
+ - name: role
+ type: group
+ fields:
+ - name: display_name
+ type: keyword
+ - name: remote_id
+ type: keyword
+ - name: scope_tag_calendar
+ type: long
+ - name: scope_tag_calendar_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: scope_tag_drive
+ type: long
+ - name: scope_tag_drive_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: scope_tag_mail
+ type: long
+ - name: scope_tag_mail_hyperlink
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: security_MFA
+ type: boolean
+ - name: security_SSO
+ type: boolean
+ - name: security_bug_bounty
+ type: boolean
+ - name: security_email_for_issues
+ type: keyword
+ - name: setting_description
+ type: keyword
+ - name: setting_name
+ type: keyword
+ - name: setting_type
+ type: keyword
+ - name: settings_score
+ type: double
+ - name: settings_status
+ type: keyword
+ - name: short_description
+ type: keyword
+ - name: sm_entity_type
+ type: keyword
+ - name: source
+ type: keyword
+ - name: source_application
+ type: keyword
+ - name: standards
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: sections
+ type: keyword
+ - name: version
+ type: keyword
+ - name: start_date
+ type: date
+ - name: sub_category
+ type: keyword
+ - name: subscription_term
+ type: keyword
+ - name: suspended_users
+ type: long
+ - name: suspended_users_saved_query_id
+ type: keyword
+ - name: tenant_number
+ type: keyword
+ - name: total_accounts
+ type: long
+ - name: total_expenses_by_adapter_connection
+ type: group
+ fields:
+ - name: amount
+ type: long
+ - name: connection_label
+ type: keyword
+ - name: total_misconfigured_settings
+ type: long
+ - name: transaction_time
+ type: date
+ - name: type
+ type: keyword
+ - name: unit_price
+ type: double
+ - name: unlinked_users
+ type: long
+ - name: unlinked_users_saved_query_id
+ type: keyword
+ - name: unmanaged_users
+ type: long
+ - name: unmanaged_users_device_software_only
+ type: long
+ - name: unmanaged_users_device_software_only_saved_query_id
+ type: keyword
+ - name: unmanaged_users_saved_query_id
+ type: keyword
+ - name: upcoming_renewals
+ type: long
+ - name: urls
+ type: keyword
+ - name: used_as_override
+ type: boolean
+ - name: user_account
+ type: group
+ fields:
+ - name: email
+ type: keyword
+ - name: remote_id
+ type: keyword
+ - name: username
+ type: keyword
+ - name: user_count
+ type: long
+ - name: user_count_link
+ type: group
+ fields:
+ - name: bracketWeight
+ type: long
+ - name: compOp
+ type: keyword
+ - name: field
+ type: keyword
+ - name: leftBracket
+ type: long
+ - name: logicOp
+ type: keyword
+ - name: not
+ type: boolean
+ - name: rightBracket
+ type: long
+ - name: value
+ type: keyword
+ - name: user_email
+ type: keyword
+ - name: user_extensions_used_by_app
+ type: long
+ - name: username_formats
+ type: keyword
+ - name: users_amount
+ type: long
+ - name: vendor_category
+ type: keyword
+ - name: vendor_documentation
+ type: keyword
+ - name: vendor_setting
+ type: group
+ fields:
+ - name: _id
+ type: keyword
+ - name: documentation_link
+ type: keyword
+ - name: exceptions
+ type: group
+ fields:
+ - name: level
+ type: keyword
+ - name: link
+ type: keyword
+ - name: link_path
+ type: keyword
+ - name: raw_setting_name
+ type: keyword
+ - name: raw_setting_value_type
+ type: keyword
+ - name: setting_id
+ type: keyword
+ - name: is_relevant
+ type: boolean
+ - name: lambda_name
+ type: keyword
+ - name: lambda_variable
+ type: keyword
+ - name: level
+ type: keyword
+ - name: link
+ type: keyword
+ - name: link_path
+ type: keyword
+ - name: product
+ type: keyword
+ - name: raw_setting_name
+ type: keyword
+ - name: raw_setting_value_type
+ type: keyword
+ - name: raw_validation_rule
+ type: keyword
+ - name: recommendation_reason
+ type: keyword
+ - name: scope
+ type: keyword
+ - name: setting_description
+ type: keyword
+ - name: xsetting
+ type: group
+ fields:
+ - name: _id
+ type: keyword
+ - name: impact
+ type: long
+ - name: setting_type
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: xsetting_name
+ type: keyword
+ - name: vendors_application_category
+ type: keyword
+ - name: entity
+ type: keyword
+ - name: hidden_for_gui
+ type: boolean
+ - name: initial_plugin_unique_name
+ type: keyword
+ - name: name
+ type: keyword
+ - name: plugin_name
+ type: keyword
+ - name: plugin_type
+ type: keyword
+ - name: plugin_unique_name
+ type: keyword
+ - name: quick_id
+ type: keyword
+ - name: type
+ type: keyword
+ - name: internal_axon_id
+ type: keyword
+ - name: labels
+ type: keyword
+ - name: transform_unique_id
+ type: keyword
diff --git a/packages/axonius/elasticsearch/transform/latest_application/fields/is-transform-source-false.yml b/packages/axonius/elasticsearch/transform/latest_application/fields/is-transform-source-false.yml
new file mode 100644
index 00000000000..759b444efd7
--- /dev/null
+++ b/packages/axonius/elasticsearch/transform/latest_application/fields/is-transform-source-false.yml
@@ -0,0 +1,4 @@
+- name: labels.is_transform_source
+ type: constant_keyword
+ description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.
+ value: 'false'
diff --git a/packages/axonius/elasticsearch/transform/latest_application/manifest.yml b/packages/axonius/elasticsearch/transform/latest_application/manifest.yml
new file mode 100644
index 00000000000..24e9e926793
--- /dev/null
+++ b/packages/axonius/elasticsearch/transform/latest_application/manifest.yml
@@ -0,0 +1,11 @@
+start: true
+destination_index_template:
+ mappings:
+ dynamic: true
+ dynamic_templates:
+ - strings_as_keyword:
+ match_mapping_type: string
+ mapping:
+ ignore_above: 1024
+ type: keyword
+ date_detection: true
diff --git a/packages/axonius/elasticsearch/transform/latest_application/transform.yml b/packages/axonius/elasticsearch/transform/latest_application/transform.yml
new file mode 100644
index 00000000000..af3ea17ffdd
--- /dev/null
+++ b/packages/axonius/elasticsearch/transform/latest_application/transform.yml
@@ -0,0 +1,37 @@
+# Use of '*' to use all namespaces defined.
+source:
+ index:
+ - 'logs-axonius.application-*'
+dest:
+ index: 'logs-axonius_latest.dest_application-1'
+ aliases:
+ - alias: 'logs-axonius_latest.application'
+ move_on_creation: true
+latest:
+ unique_key:
+ - event.dataset
+ - axonius.application.transform_unique_id
+ sort: '@timestamp'
+description: >-
+ Latest applications from Axonius. As applications get updated, this transform stores only the latest state of each application inside the destination index. Thus the transform's destination index contains only the latest state of the application.
+frequency: 30s
+settings:
+ # This is required to prevent the transform from clobbering the Fleet-managed mappings.
+ deduce_mappings: false
+ unattended: true
+sync:
+ time:
+ field: 'event.ingested'
+ # Updated to 120s because of refresh delay in Serverless. With default 60s,
+ # sometimes transform wouldn't process all documents.
+ delay: 120s
+retention_policy:
+ time:
+ field: 'event.ingested'
+ max_age: 24h
+_meta:
+ managed: false
+ # Bump this version to delete, reinstall, and restart the transform during
+ # package installation.
+ fleet_transform_version: 0.1.0
+ run_as_kibana_system: false
diff --git a/packages/axonius/img/axonius-application-dashboard.png b/packages/axonius/img/axonius-application-dashboard.png
new file mode 100644
index 00000000000..d5d65d22ab9
Binary files /dev/null and b/packages/axonius/img/axonius-application-dashboard.png differ
diff --git a/packages/axonius/img/axonius-logo.svg b/packages/axonius/img/axonius-logo.svg
new file mode 100644
index 00000000000..76c63d28c54
--- /dev/null
+++ b/packages/axonius/img/axonius-logo.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/packages/axonius/kibana/dashboard/axonius-99a89250-dd1e-4d20-be86-c7079b5c7661.json b/packages/axonius/kibana/dashboard/axonius-99a89250-dd1e-4d20-be86-c7079b5c7661.json
new file mode 100644
index 00000000000..ce4317dc2d9
--- /dev/null
+++ b/packages/axonius/kibana/dashboard/axonius-99a89250-dd1e-4d20-be86-c7079b5c7661.json
@@ -0,0 +1,2341 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "ctrl-action_if_exists": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "exclude": false,
+ "existsSelected": false,
+ "fieldName": "event.action",
+ "hideActionBar": null,
+ "hideExclude": null,
+ "hideExists": null,
+ "hideSort": null,
+ "placeholder": null,
+ "runPastTimeout": null,
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "singleSelect": false,
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Action If Exists"
+ },
+ "grow": true,
+ "order": 1,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "ctrl-adapter_categories": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "exclude": null,
+ "existsSelected": null,
+ "fieldName": "axonius.application.event.adapter_categories",
+ "hideActionBar": null,
+ "hideExclude": null,
+ "hideExists": null,
+ "hideSort": null,
+ "placeholder": null,
+ "runPastTimeout": null,
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "singleSelect": false,
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Adapter Categories"
+ },
+ "grow": true,
+ "order": 2,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "ctrl-asset_type": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "exclude": null,
+ "existsSelected": null,
+ "fieldName": "axonius.application.asset_type",
+ "hideActionBar": null,
+ "hideExclude": null,
+ "hideExists": null,
+ "hideSort": null,
+ "placeholder": null,
+ "runPastTimeout": null,
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "singleSelect": false,
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Asset Type"
+ },
+ "grow": true,
+ "order": 0,
+ "type": "optionsListControl",
+ "width": "medium"
+ }
+ },
+ "showApplySelections": false
+ },
+ "description": "Dashboard for application logs from Axonius",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "axonius.application"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "axonius.application"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "labels.is_transform_source",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "labels.is_transform_source",
+ "negate": false,
+ "params": {
+ "query": "false"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "labels.is_transform_source": "false"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ce33843d-510a-4ab7-aa04-afcab8a2715a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "ce33843d-510a-4ab7-aa04-afcab8a2715a": {
+ "columnOrder": [
+ "18f8700a-b088-4551-89fc-7cd6009c3963",
+ "069338e2-2f20-46a9-a73c-cec7ea7e0d2a"
+ ],
+ "columns": {
+ "069338e2-2f20-46a9-a73c-cec7ea7e0d2a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "18f8700a-b088-4551-89fc-7cd6009c3963": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "axonius.application.event.adapter_categories",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "069338e2-2f20-46a9-a73c-cec7ea7e0d2a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.application.event.adapter_categories"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "ce33843d-510a-4ab7-aa04-afcab8a2715a",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "069338e2-2f20-46a9-a73c-cec7ea7e0d2a"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "18f8700a-b088-4551-89fc-7cd6009c3963"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "hidePanelTitles": false,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "pie-05",
+ "w": 12,
+ "x": 48,
+ "y": 0
+ },
+ "panelIndex": "pie-05",
+ "title": "Events by Adapter Categories [Logs Axonius]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0f1ec492-2956-4dc1-a4b2-c79b7fdaf9e0",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "0f1ec492-2956-4dc1-a4b2-c79b7fdaf9e0": {
+ "columnOrder": [
+ "2e57f4b8-a965-4b9a-aacb-c497d7e8b80e",
+ "1320bef8-3770-4613-8b44-c1163cc3589f"
+ ],
+ "columns": {
+ "1320bef8-3770-4613-8b44-c1163cc3589f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "2e57f4b8-a965-4b9a-aacb-c497d7e8b80e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "axonius.application.event.association_type",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "1320bef8-3770-4613-8b44-c1163cc3589f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.application.event.association_type"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "0f1ec492-2956-4dc1-a4b2-c79b7fdaf9e0",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "1320bef8-3770-4613-8b44-c1163cc3589f"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "2e57f4b8-a965-4b9a-aacb-c497d7e8b80e"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "hidePanelTitles": false,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "pie-06",
+ "w": 12,
+ "x": 60,
+ "y": 0
+ },
+ "panelIndex": "pie-06",
+ "title": "Events by Association Type [Logs Axonius]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e03d5f2f-40a7-4a6f-b66f-ec1f2f64a666",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e03d5f2f-40a7-4a6f-b66f-ec1f2f64a666": {
+ "columnOrder": [
+ "1d55d1d1-e22c-49a4-aced-65f21b681996",
+ "08c7b3a7-8cd1-4fe4-9165-402a6a037de3"
+ ],
+ "columns": {
+ "08c7b3a7-8cd1-4fe4-9165-402a6a037de3": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "1d55d1d1-e22c-49a4-aced-65f21b681996": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Risk",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "08c7b3a7-8cd1-4fe4-9165-402a6a037de3",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.application.event.data.risk"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "e03d5f2f-40a7-4a6f-b66f-ec1f2f64a666",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "08c7b3a7-8cd1-4fe4-9165-402a6a037de3"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "1d55d1d1-e22c-49a4-aced-65f21b681996"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "736e5e96-cab7-4f54-b84d-4d45504686fb",
+ "w": 24,
+ "x": 0,
+ "y": 32
+ },
+ "panelIndex": "736e5e96-cab7-4f54-b84d-4d45504686fb",
+ "title": "Saas Applications by Risk",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2": {
+ "columnOrder": [
+ "80025388-51c0-43c7-a1e2-7f619a190270",
+ "44170f99-45a3-44c1-86fb-708b404190dd"
+ ],
+ "columns": {
+ "44170f99-45a3-44c1-86fb-708b404190dd": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "80025388-51c0-43c7-a1e2-7f619a190270": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Software Sources",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "44170f99-45a3-44c1-86fb-708b404190dd",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.application.event.data.source"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "80025388-51c0-43c7-a1e2-7f619a190270"
+ },
+ {
+ "columnId": "44170f99-45a3-44c1-86fb-708b404190dd"
+ }
+ ],
+ "layerId": "e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "76a96d7c-4f01-48a9-9455-3dc35762878d",
+ "w": 24,
+ "x": 0,
+ "y": 61
+ },
+ "panelIndex": "76a96d7c-4f01-48a9-9455-3dc35762878d",
+ "title": "Top Software Sources",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2": {
+ "columnOrder": [
+ "80025388-51c0-43c7-a1e2-7f619a190270",
+ "44170f99-45a3-44c1-86fb-708b404190dd"
+ ],
+ "columns": {
+ "44170f99-45a3-44c1-86fb-708b404190dd": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "80025388-51c0-43c7-a1e2-7f619a190270": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Domain",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "44170f99-45a3-44c1-86fb-708b404190dd",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "host.domain"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "80025388-51c0-43c7-a1e2-7f619a190270"
+ },
+ {
+ "columnId": "44170f99-45a3-44c1-86fb-708b404190dd"
+ }
+ ],
+ "layerId": "e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "431a8699-eca9-4f5a-aaf4-1300bd2f0d6b",
+ "w": 24,
+ "x": 24,
+ "y": 76
+ },
+ "panelIndex": "431a8699-eca9-4f5a-aaf4-1300bd2f0d6b",
+ "title": "Top Domain",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-68d76f04-5961-4cbb-8ade-04ed4a960b10",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "68d76f04-5961-4cbb-8ade-04ed4a960b10": {
+ "columnOrder": [
+ "a5eaf740-f8fd-4e94-aa6e-d501085ec56b",
+ "c8cbd739-140e-44e2-b89c-7047252b731c"
+ ],
+ "columns": {
+ "a5eaf740-f8fd-4e94-aa6e-d501085ec56b": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "c8cbd739-140e-44e2-b89c-7047252b731c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "emphasizeFitting": true,
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "c8cbd739-140e-44e2-b89c-7047252b731c"
+ ],
+ "layerId": "68d76f04-5961-4cbb-8ade-04ed4a960b10",
+ "layerType": "data",
+ "seriesType": "line",
+ "xAccessor": "a5eaf740-f8fd-4e94-aa6e-d501085ec56b"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendStats": [
+ "currentAndLastValue"
+ ],
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "line-01",
+ "w": 36,
+ "x": 12,
+ "y": 8
+ },
+ "panelIndex": "line-01",
+ "title": "Events over Time",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-9a1a7929-4bc2-4221-9e87-646fe08b81a5",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9a1a7929-4bc2-4221-9e87-646fe08b81a5": {
+ "columnOrder": [
+ "af3bc7bb-a0a7-459d-9810-d805093e6ae2",
+ "5cf9b850-4474-4931-aa9e-a866c76f9e1e"
+ ],
+ "columns": {
+ "5cf9b850-4474-4931-aa9e-a866c76f9e1e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "af3bc7bb-a0a7-459d-9810-d805093e6ae2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Activity Status",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "5cf9b850-4474-4931-aa9e-a866c76f9e1e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.application.event.data.activity_status"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "emptySizeRatio": 0,
+ "layerId": "9a1a7929-4bc2-4221-9e87-646fe08b81a5",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "5cf9b850-4474-4931-aa9e-a866c76f9e1e"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "af3bc7bb-a0a7-459d-9810-d805093e6ae2"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "pie-01",
+ "w": 24,
+ "x": 24,
+ "y": 32
+ },
+ "panelIndex": "pie-01",
+ "title": "Events by Activity Status",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-96d880c4-b3fc-43d2-b103-143e614c0be9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "96d880c4-b3fc-43d2-b103-143e614c0be9": {
+ "columnOrder": [
+ "91b83ea5-34fc-452f-95d6-4b637ab331fc",
+ "04ad83c4-5184-480e-a84a-cf965ae7e114"
+ ],
+ "columns": {
+ "04ad83c4-5184-480e-a84a-cf965ae7e114": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "91b83ea5-34fc-452f-95d6-4b637ab331fc": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Asset Type",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "04ad83c4-5184-480e-a84a-cf965ae7e114",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.application.asset_type"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "04ad83c4-5184-480e-a84a-cf965ae7e114"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "96d880c4-b3fc-43d2-b103-143e614c0be9",
+ "layerType": "data",
+ "seriesType": "bar_horizontal",
+ "xAccessor": "91b83ea5-34fc-452f-95d6-4b637ab331fc"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_percentage_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "pie-03",
+ "w": 24,
+ "x": 0,
+ "y": 47
+ },
+ "panelIndex": "pie-03",
+ "title": "Events by Asset Type",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e61c40e8-74a6-4851-ba79-cc702e30f5e1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e61c40e8-74a6-4851-ba79-cc702e30f5e1": {
+ "columnOrder": [
+ "bfb415c8-4ed6-4e3f-9738-c21b8f7e11f7",
+ "66e60810-e042-46c6-8dc3-4be92b146fb8"
+ ],
+ "columns": {
+ "66e60810-e042-46c6-8dc3-4be92b146fb8": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "bfb415c8-4ed6-4e3f-9738-c21b8f7e11f7": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event Action",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "66e60810-e042-46c6-8dc3-4be92b146fb8",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "66e60810-e042-46c6-8dc3-4be92b146fb8"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "e61c40e8-74a6-4851-ba79-cc702e30f5e1",
+ "layerType": "data",
+ "seriesType": "bar_horizontal_stacked",
+ "xAccessor": "bfb415c8-4ed6-4e3f-9738-c21b8f7e11f7"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_percentage_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "pie-04",
+ "w": 24,
+ "x": 24,
+ "y": 47
+ },
+ "panelIndex": "pie-04",
+ "title": "Events by Action",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-bb877057-ef9c-4869-84b4-23abbbffac0b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bb877057-ef9c-4869-84b4-23abbbffac0b": {
+ "columnOrder": [
+ "280ef2d8-1a60-4985-a579-b9a27ac59021",
+ "33b1359d-d058-4974-a52a-e39fe483b498"
+ ],
+ "columns": {
+ "280ef2d8-1a60-4985-a579-b9a27ac59021": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "33b1359d-d058-4974-a52a-e39fe483b498",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "33b1359d-d058-4974-a52a-e39fe483b498": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "280ef2d8-1a60-4985-a579-b9a27ac59021",
+ "isTransposed": null
+ },
+ {
+ "columnId": "33b1359d-d058-4974-a52a-e39fe483b498",
+ "isTransposed": null
+ }
+ ],
+ "layerId": "bb877057-ef9c-4869-84b4-23abbbffac0b",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "bar-01",
+ "w": 24,
+ "x": 24,
+ "y": 61
+ },
+ "panelIndex": "bar-01",
+ "title": "Top Username",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2": {
+ "columnOrder": [
+ "80025388-51c0-43c7-a1e2-7f619a190270",
+ "44170f99-45a3-44c1-86fb-708b404190dd"
+ ],
+ "columns": {
+ "44170f99-45a3-44c1-86fb-708b404190dd": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "80025388-51c0-43c7-a1e2-7f619a190270": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Installed Softwares",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "44170f99-45a3-44c1-86fb-708b404190dd",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.application.event.data.installed_software.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "80025388-51c0-43c7-a1e2-7f619a190270"
+ },
+ {
+ "columnId": "44170f99-45a3-44c1-86fb-708b404190dd"
+ }
+ ],
+ "layerId": "e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "7d6d1f2a-3733-4e0f-8c41-633fe273f91f",
+ "w": 24,
+ "x": 0,
+ "y": 76
+ },
+ "panelIndex": "7d6d1f2a-3733-4e0f-8c41-633fe273f91f",
+ "title": "Top Installed Softwares",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "e2463951-2d19-4f80-b815-95c7d2f52487",
+ "w": 48,
+ "x": 0,
+ "y": 91
+ },
+ "panelIndex": "e2463951-2d19-4f80-b815-95c7d2f52487",
+ "panelRefName": "panel_e2463951-2d19-4f80-b815-95c7d2f52487",
+ "title": "Business Applications Overview [Logs Axonius]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 16,
+ "i": "96d28d33-7390-44ab-99d2-5ecf4eeccf85",
+ "w": 48,
+ "x": 0,
+ "y": 106
+ },
+ "panelIndex": "96d28d33-7390-44ab-99d2-5ecf4eeccf85",
+ "panelRefName": "panel_96d28d33-7390-44ab-99d2-5ecf4eeccf85",
+ "title": "Top Licenses Overview [Logs Axonius]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5d0be6b4-496c-49a4-82bc-017011ca40e5",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5d0be6b4-496c-49a4-82bc-017011ca40e5": {
+ "columnOrder": [
+ "44684e27-1495-49cb-b265-3be3359471ed"
+ ],
+ "columns": {
+ "44684e27-1495-49cb-b265-3be3359471ed": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Events",
+ "operationType": "count",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "5d0be6b4-496c-49a4-82bc-017011ca40e5",
+ "layerType": "data",
+ "metricAccessor": "44684e27-1495-49cb-b265-3be3359471ed"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "hidePanelTitles": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 8,
+ "i": "metric-01",
+ "w": 12,
+ "x": 12,
+ "y": 0
+ },
+ "panelIndex": "metric-01",
+ "title": "Total Events",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d95fdca8-93af-4236-83ed-03647c9f0aad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "35ed4b13-fe5b-4415-a52d-d36c078ee0b9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d95fdca8-93af-4236-83ed-03647c9f0aad": {
+ "columnOrder": [
+ "453cd557-7da5-48be-9712-f82ab63596e0"
+ ],
+ "columns": {
+ "453cd557-7da5-48be-9712-f82ab63596e0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Active Licenses",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "axonius.application.event.data.is_active_license",
+ "index": "35ed4b13-fe5b-4415-a52d-d36c078ee0b9",
+ "key": "axonius.application.event.data.is_active_license",
+ "negate": false,
+ "params": {
+ "query": true
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "axonius.application.event.data.is_active_license": true
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "d95fdca8-93af-4236-83ed-03647c9f0aad",
+ "layerType": "data",
+ "metricAccessor": "453cd557-7da5-48be-9712-f82ab63596e0"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "axonius.application.event.data.is_active_license",
+ "index": "logs-*",
+ "key": "axonius.application.event.data.is_active_license",
+ "negate": false,
+ "params": {
+ "query": true
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "axonius.application.event.data.is_active_license": true
+ }
+ }
+ }
+ ],
+ "hidePanelTitles": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 8,
+ "i": "234085c5-0566-4b8b-ab14-902e0a2124d1",
+ "w": 12,
+ "x": 24,
+ "y": 0
+ },
+ "panelIndex": "234085c5-0566-4b8b-ab14-902e0a2124d1",
+ "title": "Total Active Licenses",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-59d7dffa-e7ef-423b-a70f-203f06414d9d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "59d7dffa-e7ef-423b-a70f-203f06414d9d": {
+ "columnOrder": [
+ "f1f7749b-e6c4-43c8-8a31-c4f8634579fa"
+ ],
+ "columns": {
+ "f1f7749b-e6c4-43c8-8a31-c4f8634579fa": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Active Users",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "axonius.application.event.data.active_users"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "59d7dffa-e7ef-423b-a70f-203f06414d9d",
+ "layerType": "data",
+ "metricAccessor": "f1f7749b-e6c4-43c8-8a31-c4f8634579fa"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "hidePanelTitles": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 8,
+ "i": "15bf1d88-a1b3-41f3-b676-b9bc67c18d9e",
+ "w": 12,
+ "x": 36,
+ "y": 0
+ },
+ "panelIndex": "15bf1d88-a1b3-41f3-b676-b9bc67c18d9e",
+ "title": "Total Active Users",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-197fb215-e4d2-490d-bfe4-d48442308833",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "197fb215-e4d2-490d-bfe4-d48442308833": {
+ "columnOrder": [
+ "c5ac332f-e9eb-4f85-ba06-998c9b9014e2",
+ "213af080-789c-431f-8665-af8f4e42dcd8",
+ "6db3f9ee-492e-4444-9103-543359fe5559"
+ ],
+ "columns": {
+ "213af080-789c-431f-8665-af8f4e42dcd8": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "6db3f9ee-492e-4444-9103-543359fe5559": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "c5ac332f-e9eb-4f85-ba06-998c9b9014e2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Activity Status",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6db3f9ee-492e-4444-9103-543359fe5559",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.application.event.data.activity_status"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*"
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "emphasizeFitting": true,
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "6db3f9ee-492e-4444-9103-543359fe5559"
+ ],
+ "layerId": "197fb215-e4d2-490d-bfe4-d48442308833",
+ "layerType": "data",
+ "seriesType": "area_stacked",
+ "splitAccessor": "c5ac332f-e9eb-4f85-ba06-998c9b9014e2",
+ "xAccessor": "213af080-789c-431f-8665-af8f4e42dcd8"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendStats": [
+ "currentAndLastValue"
+ ],
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "area_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "line-02",
+ "w": 36,
+ "x": 12,
+ "y": 20
+ },
+ "panelIndex": "line-02",
+ "title": "Events by Activity Status over Time",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "#### Overview\n\nThis dashboard provides a concise overview of application activity and usage data collected from the Axonius integration. It highlights key business applications, top installed software, and primary software sources, offering visibility into how applications are deployed and used across the environment.\n\nThe dashboard includes visualizations for events by action, asset type, and activity status, along with time-based trends to monitor changes in application activity. Risk-focused views surface SaaS applications by risk, while tables highlight top users and domains.\n\nHigh-level metrics summarize total events, active users, and active licenses, supporting quick operational and security insights. Select an appropriate time range to avoid viewing partial results.\n\n[**Integration Page**](/app/integrations/detail/axonius/overview)",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 32,
+ "i": "0cba243d-35e3-4f5e-a838-db7d45d1f591",
+ "w": 12,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "0cba243d-35e3-4f5e-a838-db7d45d1f591",
+ "type": "visualization"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Axonius] Application",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-12-22T08:58:14.418Z",
+ "id": "axonius-99a89250-dd1e-4d20-be86-c7079b5c7661",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "axonius-3be4bf2c-5043-45ae-958b-9d5355f34533",
+ "name": "e2463951-2d19-4f80-b815-95c7d2f52487:panel_e2463951-2d19-4f80-b815-95c7d2f52487",
+ "type": "search"
+ },
+ {
+ "id": "axonius-bfd7962c-9bdf-488e-9302-67164b99a8fd",
+ "name": "96d28d33-7390-44ab-99d2-5ecf4eeccf85:panel_96d28d33-7390-44ab-99d2-5ecf4eeccf85",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "pie-05:indexpattern-datasource-layer-ce33843d-510a-4ab7-aa04-afcab8a2715a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "pie-06:indexpattern-datasource-layer-0f1ec492-2956-4dc1-a4b2-c79b7fdaf9e0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "736e5e96-cab7-4f54-b84d-4d45504686fb:indexpattern-datasource-layer-e03d5f2f-40a7-4a6f-b66f-ec1f2f64a666",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "76a96d7c-4f01-48a9-9455-3dc35762878d:indexpattern-datasource-layer-e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "431a8699-eca9-4f5a-aaf4-1300bd2f0d6b:indexpattern-datasource-layer-e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "line-01:indexpattern-datasource-layer-68d76f04-5961-4cbb-8ade-04ed4a960b10",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "pie-01:indexpattern-datasource-layer-9a1a7929-4bc2-4221-9e87-646fe08b81a5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "pie-03:indexpattern-datasource-layer-96d880c4-b3fc-43d2-b103-143e614c0be9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "pie-04:indexpattern-datasource-layer-e61c40e8-74a6-4851-ba79-cc702e30f5e1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bar-01:indexpattern-datasource-layer-bb877057-ef9c-4869-84b4-23abbbffac0b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7d6d1f2a-3733-4e0f-8c41-633fe273f91f:indexpattern-datasource-layer-e7f2ed21-2afb-4e1e-b35e-11f53d18d8b2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "metric-01:indexpattern-datasource-layer-5d0be6b4-496c-49a4-82bc-017011ca40e5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "234085c5-0566-4b8b-ab14-902e0a2124d1:indexpattern-datasource-layer-d95fdca8-93af-4236-83ed-03647c9f0aad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "234085c5-0566-4b8b-ab14-902e0a2124d1:35ed4b13-fe5b-4415-a52d-d36c078ee0b9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "15bf1d88-a1b3-41f3-b676-b9bc67c18d9e:indexpattern-datasource-layer-59d7dffa-e7ef-423b-a70f-203f06414d9d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "line-02:indexpattern-datasource-layer-197fb215-e4d2-490d-bfe4-d48442308833",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ctrl-asset_type:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ctrl-action_if_exists:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ctrl-adapter_categories:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/axonius/kibana/search/axonius-3be4bf2c-5043-45ae-958b-9d5355f34533.json b/packages/axonius/kibana/search/axonius-3be4bf2c-5043-45ae-958b-9d5355f34533.json
new file mode 100644
index 00000000000..43d5a7be185
--- /dev/null
+++ b/packages/axonius/kibana/search/axonius-3be4bf2c-5043-45ae-958b-9d5355f34533.json
@@ -0,0 +1,103 @@
+{
+ "attributes": {
+ "columns": [
+ "axonius.application.event.data.business_owner",
+ "axonius.application.event.data.business_criticality",
+ "axonius.application.event.data.install_status",
+ "axonius.application.event.data.devices_count",
+ "axonius.application.event.data.operational_status"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "axonius.application"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "axonius.application"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "axonius.application.asset_type",
+ "index": "logs-*",
+ "key": "axonius.application.asset_type",
+ "negate": false,
+ "params": {
+ "query": "business_applications"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "axonius.application.asset_type": "business_applications"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"axonius.application\" "
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Business Applications Overview [Logs Axonius]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-12-22T08:47:52.792Z",
+ "id": "axonius-3be4bf2c-5043-45ae-958b-9d5355f34533",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/axonius/kibana/search/axonius-bfd7962c-9bdf-488e-9302-67164b99a8fd.json b/packages/axonius/kibana/search/axonius-bfd7962c-9bdf-488e-9302-67164b99a8fd.json
new file mode 100644
index 00000000000..ebfcfff2a04
--- /dev/null
+++ b/packages/axonius/kibana/search/axonius-bfd7962c-9bdf-488e-9302-67164b99a8fd.json
@@ -0,0 +1,102 @@
+{
+ "attributes": {
+ "columns": [
+ "axonius.application.event.data.license_name",
+ "axonius.application.event.data.license_type",
+ "axonius.application.event.plugin_name",
+ "axonius.application.event.data.type"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "axonius.application"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "axonius.application"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "axonius.application.asset_type",
+ "index": "logs-*",
+ "key": "axonius.application.asset_type",
+ "negate": false,
+ "params": {
+ "query": "licenses"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "axonius.application.asset_type": "licenses"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Top Licenses Overview [Logs Axonius]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-12-22T08:47:52.792Z",
+ "id": "axonius-bfd7962c-9bdf-488e-9302-67164b99a8fd",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/axonius/manifest.yml b/packages/axonius/manifest.yml
new file mode 100644
index 00000000000..819d68d5f59
--- /dev/null
+++ b/packages/axonius/manifest.yml
@@ -0,0 +1,102 @@
+format_version: 3.3.2
+name: axonius
+title: Axonius
+version: 0.1.0
+description: Collect logs from Axonius with Elastic Agent.
+type: integration
+categories:
+ - security
+conditions:
+ kibana:
+ version: ^8.18.0 || ^9.1.0
+ elastic:
+ subscription: basic
+screenshots:
+ - src: /img/axonius-application-dashboard.png
+ title: Application Dashboard
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/axonius-logo.svg
+ title: Axonius Logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: axonius
+ title: Axonius
+ description: Collect logs from Axonius.
+ deployment_modes:
+ default:
+ enabled: true
+ agentless:
+ enabled: true
+ organization: security
+ division: engineering
+ team: security-service-integrations
+ inputs:
+ - type: cel
+ title: Collect logs from Axonius API
+ description: Collecting logs via Axonius API.
+ vars:
+ - name: url
+ type: url
+ title: URL
+ description: Base URL of the Axonius server.
+ multi: false
+ required: true
+ show_user: true
+ - name: api_key
+ type: password
+ title: API Key
+ secret: true
+ description: API key from the Axonius server.
+ multi: false
+ required: true
+ show_user: true
+ - name: secret_key
+ type: password
+ title: API Secret
+ secret: true
+ description: API secret from the Axonius server.
+ multi: false
+ required: true
+ show_user: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+ multi: false
+ required: false
+ show_user: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+owner:
+ github: elastic/security-service-integrations
+ type: elastic
diff --git a/packages/axonius/validation.yml b/packages/axonius/validation.yml
new file mode 100644
index 00000000000..e7f6636bd2f
--- /dev/null
+++ b/packages/axonius/validation.yml
@@ -0,0 +1,5 @@
+errors:
+ exclude_checks:
+ - SVR00001 # Saved query, but no filter.
+ - SVR00004 # References in dashboards.
+ - SVR00005 # Kibana version for saved tags.