{ "name": "vectra_rux", "title": "Vectra RUX", "version": "0.2.0", "release": "beta", "description": "Collect logs from Vectra RUX with Elastic Agent.", "type": "integration", "download": "/epr/vectra_rux/vectra_rux-0.2.0.zip", "path": "/package/vectra_rux/0.2.0", "icons": [ { "src": "/img/vectra_rux-logo.svg", "path": "/package/vectra_rux/0.2.0/img/vectra_rux-logo.svg", "title": "Vectra RUX logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.18.0 || ^9.0.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "edr_xdr" ], "signature_path": "/epr/vectra_rux/vectra_rux-0.2.0.zip.sig", "format_version": "3.3.2", "readme": "/package/vectra_rux/0.2.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/audit-dashboard.png", "path": "/package/vectra_rux/0.2.0/img/audit-dashboard.png", "title": "Audit Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/detection-event-dashboard.png", "path": "/package/vectra_rux/0.2.0/img/detection-event-dashboard.png", "title": "Detection Event Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/entity-event-dashboard.png", "path": "/package/vectra_rux/0.2.0/img/entity-event-dashboard.png", "title": "Entity Event Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/health-dashboard.png", "path": "/package/vectra_rux/0.2.0/img/health-dashboard.png", "title": "Health Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/lockdown-dashboard.png", "path": "/package/vectra_rux/0.2.0/img/lockdown-dashboard.png", "title": "Lockdown Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/vectra_rux/0.2.0/LICENSE.txt", "/package/vectra_rux/0.2.0/changelog.yml", "/package/vectra_rux/0.2.0/manifest.yml", "/package/vectra_rux/0.2.0/validation.yml", "/package/vectra_rux/0.2.0/docs/README.md", "/package/vectra_rux/0.2.0/img/audit-dashboard.png", "/package/vectra_rux/0.2.0/img/detection-event-dashboard.png", "/package/vectra_rux/0.2.0/img/entity-event-dashboard.png", "/package/vectra_rux/0.2.0/img/health-dashboard.png", "/package/vectra_rux/0.2.0/img/lockdown-dashboard.png", "/package/vectra_rux/0.2.0/img/vectra_rux-logo.svg", "/package/vectra_rux/0.2.0/data_stream/audit/manifest.yml", "/package/vectra_rux/0.2.0/data_stream/audit/sample_event.json", "/package/vectra_rux/0.2.0/data_stream/detection_event/manifest.yml", "/package/vectra_rux/0.2.0/data_stream/detection_event/sample_event.json", "/package/vectra_rux/0.2.0/data_stream/entity_event/manifest.yml", "/package/vectra_rux/0.2.0/data_stream/entity_event/sample_event.json", "/package/vectra_rux/0.2.0/data_stream/health/lifecycle.yml", "/package/vectra_rux/0.2.0/data_stream/health/manifest.yml", "/package/vectra_rux/0.2.0/data_stream/health/sample_event.json", "/package/vectra_rux/0.2.0/data_stream/lockdown/manifest.yml", "/package/vectra_rux/0.2.0/data_stream/lockdown/sample_event.json", "/package/vectra_rux/0.2.0/kibana/dashboard/vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d.json", "/package/vectra_rux/0.2.0/kibana/dashboard/vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05.json", "/package/vectra_rux/0.2.0/kibana/dashboard/vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb.json", "/package/vectra_rux/0.2.0/kibana/dashboard/vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717.json", "/package/vectra_rux/0.2.0/kibana/dashboard/vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8.json", "/package/vectra_rux/0.2.0/kibana/search/vectra_rux-3160e56b-1190-4e05-be6d-5beb3b5bf8a5.json", "/package/vectra_rux/0.2.0/kibana/search/vectra_rux-648e1825-c198-4bf0-ba1d-ee1c11ebd84f.json", "/package/vectra_rux/0.2.0/kibana/search/vectra_rux-7180cae3-1a55-4e7a-a010-e7987dbdbd67.json", "/package/vectra_rux/0.2.0/kibana/search/vectra_rux-7ba8318c-2c41-4c43-af81-c35d599b6c74.json", "/package/vectra_rux/0.2.0/kibana/search/vectra_rux-fad8d0ee-bc58-43cd-a949-b0f0cf975256.json", "/package/vectra_rux/0.2.0/data_stream/audit/fields/base-fields.yml", "/package/vectra_rux/0.2.0/data_stream/audit/fields/beats.yml", "/package/vectra_rux/0.2.0/data_stream/audit/fields/ecs.yml", "/package/vectra_rux/0.2.0/data_stream/audit/fields/fields.yml", "/package/vectra_rux/0.2.0/data_stream/detection_event/fields/base-fields.yml", "/package/vectra_rux/0.2.0/data_stream/detection_event/fields/beats.yml", "/package/vectra_rux/0.2.0/data_stream/detection_event/fields/ecs.yml", "/package/vectra_rux/0.2.0/data_stream/detection_event/fields/fields.yml", "/package/vectra_rux/0.2.0/data_stream/entity_event/fields/base-fields.yml", "/package/vectra_rux/0.2.0/data_stream/entity_event/fields/beats.yml", "/package/vectra_rux/0.2.0/data_stream/entity_event/fields/ecs.yml", "/package/vectra_rux/0.2.0/data_stream/entity_event/fields/fields.yml", "/package/vectra_rux/0.2.0/data_stream/health/fields/base-fields.yml", "/package/vectra_rux/0.2.0/data_stream/health/fields/beats.yml", "/package/vectra_rux/0.2.0/data_stream/health/fields/ecs.yml", "/package/vectra_rux/0.2.0/data_stream/health/fields/fields.yml", "/package/vectra_rux/0.2.0/data_stream/lockdown/fields/base-fields.yml", "/package/vectra_rux/0.2.0/data_stream/lockdown/fields/beats.yml", "/package/vectra_rux/0.2.0/data_stream/lockdown/fields/ecs.yml", "/package/vectra_rux/0.2.0/data_stream/lockdown/fields/fields.yml", "/package/vectra_rux/0.2.0/data_stream/audit/agent/stream/cel.yml.hbs", "/package/vectra_rux/0.2.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/vectra_rux/0.2.0/data_stream/detection_event/agent/stream/cel.yml.hbs", "/package/vectra_rux/0.2.0/data_stream/detection_event/elasticsearch/ingest_pipeline/default.yml", "/package/vectra_rux/0.2.0/data_stream/entity_event/agent/stream/cel.yml.hbs", "/package/vectra_rux/0.2.0/data_stream/entity_event/elasticsearch/ingest_pipeline/default.yml", "/package/vectra_rux/0.2.0/data_stream/health/agent/stream/cel.yml.hbs", "/package/vectra_rux/0.2.0/data_stream/health/elasticsearch/ilm/default_policy.json", "/package/vectra_rux/0.2.0/data_stream/health/elasticsearch/ingest_pipeline/default.yml", "/package/vectra_rux/0.2.0/data_stream/lockdown/agent/stream/cel.yml.hbs", "/package/vectra_rux/0.2.0/data_stream/lockdown/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "vectra_rux", "title": "Vectra RUX", "description": "Collect logs from Vectra RUX.", "inputs": [ { "type": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Vectra RUX API.", "multi": false, "required": true, "show_user": true }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "Client ID of the Vectra RUX API.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client Secret of the Vectra RUX API.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Vectra RUX logs via API", "description": "Collecting Vectra RUX logs via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "vectra_rux.audit", "title": "Collect Audit logs from Vectra RUX", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Audit logs from Vectra RUX API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Vectra RUX API.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve vectra_rux.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "vectra_rux-audit" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Audit logs", "description": "Collect Audit logs from Vectra RUX.", "enabled": true, "ingestion_method": "API" } ], "package": "vectra_rux", "path": "audit" }, { "type": "logs", "dataset": "vectra_rux.detection_event", "title": "Collect Detection Event logs from Vectra RUX", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Detection Event logs from Vectra RUX API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Vectra RUX API.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve vectra_rux.detection_event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "vectra_rux-detection_event" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Detection Event logs", "description": "Collect Detection Event logs from Vectra RUX.", "enabled": true, "ingestion_method": "API" } ], "package": "vectra_rux", "path": "detection_event" }, { "type": "logs", "dataset": "vectra_rux.entity_event", "title": "Collect Entity Event logs from Vectra RUX", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Entity Event logs from Vectra RUX API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Vectra RUX API.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "type", "type": "select", "title": "Type", "description": "Specifies the type of entity scoring events: account or host.", "multi": false, "required": true, "show_user": true }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve vectra_rux.entity_event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "vectra_rux-entity_event" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Entity Event logs", "description": "Collect Entity Event logs from Vectra RUX.", "enabled": true, "ingestion_method": "API" } ], "package": "vectra_rux", "path": "entity_event" }, { "type": "logs", "dataset": "vectra_rux.health", "ilm_policy": "logs-vectra_rux.health-default_policy", "title": "Collect Health logs from Vectra RUX", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "15m" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve vectra_rux.health fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "vectra_rux-health" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Health logs", "description": "Collect Health logs from Vectra RUX.", "enabled": true, "ingestion_method": "API" } ], "package": "vectra_rux", "path": "health" }, { "type": "logs", "dataset": "vectra_rux.lockdown", "title": "Collect Lockdown logs from Vectra RUX", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "15m" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve vectra_rux.lockdown fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "vectra_rux-lockdown" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Lockdown logs", "description": "Collect Lockdown logs from Vectra RUX.", "enabled": true, "ingestion_method": "API" } ], "package": "vectra_rux", "path": "lockdown" } ] }