id: endpoints-initial revision: 63 outputs: default: type: logstash hosts: - 'onion-manager:5055' ssl: fleet: hosts: - 'https://onion-manager:8220' output_permissions: {} agent: download: sourceURI: 'http://onion-manager:8443/artifacts/' monitoring: enabled: true use_output: default namespace: default logs: true metrics: false features: {} protection: enabled: false uninstall_token_hash: '' signing_key: >- inputs: - id: f5bdca20-fb54-4e4e-9949-775bf4dd26bd name: elastic-defend-endpoints revision: 11 type: endpoint use_output: default meta: package: name: endpoint version: 8.10.2 data_stream: namespace: default package_policy_id: f5bdca20-fb54-4e4e-9949-775bf4dd26bd integration_config: type: endpoint endpointConfig: preset: DataCollection artifact_manifest: manifest_version: 1.0.0 schema_version: v1 artifacts: endpoint-exceptionlist-macos-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-exceptionlist-windows-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-exceptionlist-linux-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-trustlist-macos-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-trustlist-windows-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-trustlist-linux-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-eventfilterlist-macos-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-eventfilterlist-windows-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-eventfilterlist-linux-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-hostisolationexceptionlist-macos-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-hostisolationexceptionlist-windows-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-hostisolationexceptionlist-linux-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-blocklist-macos-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-blocklist-windows-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib endpoint-blocklist-linux-v1: encryption_algorithm: none decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 decoded_size: 14 encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda encoded_size: 22 relative_url: >- /api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 compression_algorithm: zlib policy: meta: license: basic license_uuid: a2ef0243-3cef-46fa-8598-7e6c6df5fff0 cluster_uuid: KCMnLsKDQAetqujz9E72fA cluster_name: securityonion cloud: false global_manifest_version: latest windows: events: credential_access: true dll_and_driver_load: true dns: true file: true network: true process: true registry: true security: true malware: mode: 'off' blocklist: false ransomware: mode: 'off' supported: false memory_protection: mode: 'off' supported: false behavior_protection: mode: 'off' reputation_service: false supported: false popup: malware: enabled: true message: '' ransomware: enabled: false message: '' memory_protection: enabled: false message: '' behavior_protection: enabled: false message: '' logging: file: info antivirus_registration: enabled: false attack_surface_reduction: credential_hardening: enabled: false mac: events: process: true file: true network: true malware: mode: 'off' blocklist: false behavior_protection: mode: 'off' reputation_service: false supported: false memory_protection: mode: 'off' supported: false popup: malware: enabled: true message: '' behavior_protection: enabled: false message: '' memory_protection: enabled: false message: '' logging: file: info advanced: capture_env_vars: >- DYLD_INSERT_LIBRARIES,DYLD_FRAMEWORK_PATH,DYLD_LIBRARY_PATH,LD_PRELOAD linux: events: process: true file: true network: true session_data: false tty_io: false malware: mode: 'off' blocklist: false behavior_protection: mode: 'off' reputation_service: false supported: false memory_protection: mode: 'off' supported: false popup: malware: enabled: true message: '' behavior_protection: enabled: false message: '' memory_protection: enabled: false message: '' logging: file: info advanced: capture_env_vars: 'LD_PRELOAD,LD_LIBRARY_PATH' - id: logfile-system-bc616d36-c894-4868-8800-dc6fb9ff19c4 name: system-endpoints revision: 11 type: logfile use_output: default meta: package: name: system version: 1.43.0 data_stream: namespace: default package_policy_id: bc616d36-c894-4868-8800-dc6fb9ff19c4 streams: - id: logfile-system.auth-bc616d36-c894-4868-8800-dc6fb9ff19c4 data_stream: dataset: system.auth type: logs ignore_older: 72h paths: - /var/log/auth.log* - /var/log/secure* exclude_files: - .gz$ multiline: pattern: ^\s match: after tags: - system-auth processors: - add_locale: null - id: logfile-system.syslog-bc616d36-c894-4868-8800-dc6fb9ff19c4 data_stream: dataset: system.syslog type: logs paths: - /var/log/messages* - /var/log/syslog* - /var/log/system* exclude_files: - .gz$ multiline: pattern: ^\s match: after processors: - add_locale: null ignore_older: 72h - id: winlog-system-bc616d36-c894-4868-8800-dc6fb9ff19c4 name: system-endpoints revision: 11 type: winlog use_output: default meta: package: name: system version: 1.43.0 data_stream: namespace: default package_policy_id: bc616d36-c894-4868-8800-dc6fb9ff19c4 streams: - id: winlog-system.application-bc616d36-c894-4868-8800-dc6fb9ff19c4 name: Application data_stream: dataset: system.application type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h - id: winlog-system.security-bc616d36-c894-4868-8800-dc6fb9ff19c4 name: Security data_stream: dataset: system.security type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h - id: winlog-system.system-bc616d36-c894-4868-8800-dc6fb9ff19c4 name: System data_stream: dataset: system.system type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h - id: winlog-winlogs-ad24c2db-6678-4779-9c96-99e5debd4d8d name: windows-defender revision: 11 type: winlog use_output: default meta: package: name: winlog version: 1.20.0 data_stream: namespace: default package_policy_id: ad24c2db-6678-4779-9c96-99e5debd4d8d streams: - id: winlog-winlog.winlog-ad24c2db-6678-4779-9c96-99e5debd4d8d name: Microsoft-Windows-Windows Defender/Operational data_stream: dataset: winlog.winlog condition: '${host.platform} == ''windows''' ignore_older: 72h - id: 954557a9-a129-40c3-a9b0-9634f6192652 name: osquery-endpoints revision: 11 type: osquery use_output: default meta: package: name: osquery_manager version: 1.10.1 data_stream: namespace: default package_policy_id: 954557a9-a129-40c3-a9b0-9634f6192652 streams: - id: null data_stream: dataset: osquery_manager.result type: logs query: null - id: winlog-windows-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: windows-endpoints revision: 16 type: winlog use_output: default meta: package: name: windows version: 1.38.0 data_stream: namespace: default package_policy_id: f84e7d3b-84aa-4de8-8069-85cc84df2c14 streams: - id: >- winlog-windows.applocker_exe_and_dll-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: Microsoft-Windows-AppLocker/EXE and DLL data_stream: dataset: windows.applocker_exe_and_dll type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h processors: - translate_sid: field: winlog.event_data.MemberSid account_name_target: winlog.event_data._MemberUserName domain_target: winlog.event_data._MemberDomain account_type_target: winlog.event_data._MemberAccountType ignore_missing: true ignore_failure: true - id: >- winlog-windows.applocker_msi_and_script-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: Microsoft-Windows-AppLocker/MSI and Script data_stream: dataset: windows.applocker_msi_and_script type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h processors: - translate_sid: field: winlog.event_data.MemberSid account_name_target: winlog.event_data._MemberUserName domain_target: winlog.event_data._MemberDomain account_type_target: winlog.event_data._MemberAccountType ignore_missing: true ignore_failure: true - id: >- winlog-windows.applocker_packaged_app_deployment-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: Microsoft-Windows-AppLocker/Packaged app-Deployment data_stream: dataset: windows.applocker_packaged_app_deployment type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h processors: - translate_sid: field: winlog.event_data.MemberSid account_name_target: winlog.event_data._MemberUserName domain_target: winlog.event_data._MemberDomain account_type_target: winlog.event_data._MemberAccountType ignore_missing: true ignore_failure: true - id: >- winlog-windows.applocker_packaged_app_execution-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: Microsoft-Windows-AppLocker/Packaged app-Execution data_stream: dataset: windows.applocker_packaged_app_execution type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h processors: - translate_sid: field: winlog.event_data.MemberSid account_name_target: winlog.event_data._MemberUserName domain_target: winlog.event_data._MemberDomain account_type_target: winlog.event_data._MemberAccountType ignore_missing: true ignore_failure: true - id: winlog-windows.forwarded-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: ForwardedEvents data_stream: dataset: windows.forwarded type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h tags: - forwarded publisher_pipeline.disable_host: true processors: - translate_sid: field: winlog.event_data.MemberSid account_name_target: winlog.event_data._MemberUserName domain_target: winlog.event_data._MemberDomain account_type_target: winlog.event_data._MemberAccountType ignore_missing: true ignore_failure: true - id: winlog-windows.powershell-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: Windows PowerShell data_stream: dataset: windows.powershell type: logs condition: '${host.platform} == ''windows''' event_id: '400, 403, 600' ignore_older: 72h processors: - translate_sid: field: winlog.event_data.MemberSid account_name_target: winlog.event_data._MemberUserName domain_target: winlog.event_data._MemberDomain account_type_target: winlog.event_data._MemberAccountType ignore_missing: true ignore_failure: true - id: >- winlog-windows.powershell_operational-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: Microsoft-Windows-PowerShell/Operational data_stream: dataset: windows.powershell_operational type: logs condition: '${host.platform} == ''windows''' event_id: '4104, 4105, 4106' ignore_older: 72h processors: - translate_sid: field: winlog.event_data.MemberSid account_name_target: winlog.event_data._MemberUserName domain_target: winlog.event_data._MemberDomain account_type_target: winlog.event_data._MemberAccountType ignore_missing: true ignore_failure: true - id: winlog-windows.sysmon_operational-f84e7d3b-84aa-4de8-8069-85cc84df2c14 name: Microsoft-Windows-Sysmon/Operational data_stream: dataset: windows.sysmon_operational type: logs condition: '${host.platform} == ''windows''' ignore_older: 72h processors: - translate_sid: field: winlog.event_data.MemberSid account_name_target: winlog.event_data._MemberUserName domain_target: winlog.event_data._MemberDomain account_type_target: winlog.event_data._MemberAccountType ignore_missing: true ignore_failure: true signed: data: >- eyJpZCI6ImVuZHBvaW50cy1pbml0aWFsIiwiYWdlbnQiOnsiZmVhdHVyZXMiOnt9LCJwcm90ZWN0aW9uIjp7ImVuYWJsZWQiOmZhbHNlLCJ1bmluc3RhbGxfdG9rZW5faGFzaCI6IiIsInNpZ25pbmdfa2V5IjoiTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFYy8xa1VRR1pFZW8zUUx1bWxKNCtHSFhFcVZMcEM2clhtcC92QkE2VFIxcGp4cUpqb3NOdnVBazlMZ2hsQWcrUW5YakhHc2l1Qy9SOU1hanFMN1hiTnc9PSJ9fSwiaW5wdXRzIjpbeyJpZCI6ImY1YmRjYTIwLWZiNTQtNGU0ZS05OTQ5LTc3NWJmNGRkMjZiZCIsIm5hbWUiOiJlbGFzdGljLWRlZmVuZC1lbmRwb2ludHMiLCJyZXZpc2lvbiI6MTEsInR5cGUiOiJlbmRwb2ludCJ9LHsiaWQiOiJsb2dmaWxlLXN5c3RlbS1iYzYxNmQzNi1jODk0LTQ4NjgtODgwMC1kYzZmYjlmZjE5YzQiLCJuYW1lIjoic3lzdGVtLWVuZHBvaW50cyIsInJldmlzaW9uIjoxMSwidHlwZSI6ImxvZ2ZpbGUifSx7ImlkIjoid2lubG9nLXN5c3RlbS1iYzYxNmQzNi1jODk0LTQ4NjgtODgwMC1kYzZmYjlmZjE5YzQiLCJuYW1lIjoic3lzdGVtLWVuZHBvaW50cyIsInJldmlzaW9uIjoxMSwidHlwZSI6IndpbmxvZyJ9LHsiaWQiOiJ3aW5sb2ctd2lubG9ncy1hZDI0YzJkYi02Njc4LTQ3NzktOWM5Ni05OWU1ZGViZDRkOGQiLCJuYW1lIjoid2luZG93cy1kZWZlbmRlciIsInJldmlzaW9uIjoxMSwidHlwZSI6IndpbmxvZyJ9LHsiaWQiOiI5NTQ1NTdhOS1hMTI5LTQwYzMtYTliMC05NjM0ZjYxOTI2NTIiLCJuYW1lIjoib3NxdWVyeS1lbmRwb2ludHMiLCJyZXZpc2lvbiI6MTEsInR5cGUiOiJvc3F1ZXJ5In0seyJpZCI6IndpbmxvZy13aW5kb3dzLWY4NGU3ZDNiLTg0YWEtNGRlOC04MDY5LTg1Y2M4NGRmMmMxNCIsIm5hbWUiOiJ3aW5kb3dzLWVuZHBvaW50cyIsInJldmlzaW9uIjoxNiwidHlwZSI6IndpbmxvZyJ9XX0= signature: >- MEQCIHFAN0NEW11PIXLuCce2+Y5SFLft1DjON0BWDpNcYl3vAiBxevCtME3mYIWf8BaygU4RB/b63jFHPHr8LtGlKDkjvQ== secret_references: []