README
ΒΆ
ThreatWinds Plugins SDK
This package provides the core infrastructure for developing ThreatWinds plugins. It includes support for various plugin types, configuration management, and communication between components using gRPC over UNIX sockets.
π― Features
- 𧩠Multiple Plugin Types: Easy-to-use initializers for Analysis, Notification, and Input plugins.
- π gRPC Infrastructure: Built-in gRPC server/client management for inter-plugin communication.
- βοΈ Dynamic Configuration: Shared configuration system with locking mechanisms for synchronized updates.
- π CEL Expression Evaluation: Support for Common Expression Language (CEL) with optimized caching for high-performance data processing.
- π¬ Asynchronous Communication: Channel-based log and notification enqueuing to minimize processing latency.
- π Lifecycle Management: Automatic UNIX socket cleanup and graceful shutdown handling.
π¦ Installation
go get github.com/threatwinds/go-sdk/plugins
π Quick Start
Creating an Analysis Plugin
package main
import (
"github.com/threatwinds/go-sdk/plugins"
)
func main() {
err := plugins.InitAnalysisPlugin("my-plugin", func(event *plugins.Event, srv plugins.Analysis_AnalyzeServer) error {
// Your analysis logic here
return nil
})
if err != nil {
// Handle error
}
}
Sending Logs from an Input Plugin
package main
import (
"github.com/threatwinds/go-sdk/plugins"
)
func main() {
// Start the background sender
go plugins.SendLogsFromChannel()
// Enqueue a log
log := &plugins.Log{ /* ... */ }
err := plugins.EnqueueLog(log)
}
π οΈ Key Components
Plugin Initialization
InitAnalysisPlugin: For plugins that analyze incoming events.InitNotificationPlugin: For plugins that handle outgoing notifications.InitParsingPlugin: For plugins that transform raw logs into structured drafts.InitCorrelationPlugin: For plugins that correlate multiple events into new insights.SendLogsFromChannel: For input plugins to send logs to the engine.
Configuration (GetCfg, PluginCfg)
Access shared configuration and plugin-specific settings. The system handles file-based persistence and synchronized updates.
CEL Caching (CELCache)
Highly efficient CEL expression evaluation with:
- LRU caching of compiled programs for high performance.
- Automatic expression transformation (e.g., handling keyword fields).
- Safe concurrent access with granular locking.
- Support for custom CEL environment options and overloads.
Communication
Most plugins communicate via UNIX sockets located in the sockets directory within the plugin's working directory.
π€ Contribution
Contributions are welcome! Please feel free to submit a Pull Request.
Documentation
ΒΆ
Index ΒΆ
- Constants
- Variables
- func AcquireLock(processName string) (bool, error)
- func EnqueueLog(log *Log, pluginName string) error
- func EnqueueNotification[T any](topic Topic, message T, pluginName string) error
- func GetOrderedSockets(t SocketType) []string
- func GetParsingSockets() map[string]string
- func GetPluginName(fullPath string, sep string) string
- func InitAnalysisPlugin(name string, analysisFunction func(*Event, Analysis_AnalyzeServer) error) error
- func InitCorrelationPlugin(name string, ...) error
- func InitNotificationPlugin(name string, ...) error
- func InitParsingPlugin(name string, parsingFunction func(context.Context, *Transform) (*Draft, error)) error
- func PluginCfg(pluginName string) gjson.Result
- func RandomDuration(min, max int) time.Duration
- func RegisterAnalysisServer(s *grpc.Server, srv AnalysisServer)
- func RegisterCorrelationServer(s *grpc.Server, srv CorrelationServer)
- func RegisterEngineServer(s *grpc.Server, srv EngineServer)
- func RegisterIntegrationServer(s *grpc.Server, srv IntegrationServer)
- func RegisterNotificationServer(s *grpc.Server, srv NotificationServer)
- func RegisterOutputServer(s *grpc.Server, srv OutputServer)
- func RegisterParsingServer(s *grpc.Server, srv ParsingServer)
- func ReleaseLock() error
- func SendLogsFromChannel(pluginName string)
- func SendNotificationsFromChannel(pluginName string)
- type Ack
- type Add
- type Alert
- func (*Alert) Descriptor() ([]byte, []int)deprecated
- func (x *Alert) GetAdversary() *Side
- func (x *Alert) GetCategory() string
- func (x *Alert) GetDataSource() string
- func (x *Alert) GetDataType() string
- func (x *Alert) GetDeduplicateBy() []string
- func (x *Alert) GetDescription() string
- func (x *Alert) GetErrors() []string
- func (x *Alert) GetEvents() []*Event
- func (x *Alert) GetGroupBy() []string
- func (x *Alert) GetId() string
- func (x *Alert) GetImpact() *Impact
- func (x *Alert) GetImpactScore() uint32
- func (x *Alert) GetLastUpdate() string
- func (x *Alert) GetName() string
- func (x *Alert) GetParentId() string
- func (x *Alert) GetReferences() []string
- func (x *Alert) GetSeverity() string
- func (x *Alert) GetTarget() *Side
- func (x *Alert) GetTechnique() string
- func (x *Alert) GetTenantId() string
- func (x *Alert) GetTenantName() string
- func (x *Alert) GetTimestamp() string
- func (*Alert) ProtoMessage()
- func (x *Alert) ProtoReflect() protoreflect.Message
- func (x *Alert) Reset()
- func (x *Alert) String() string
- type AnalysisClient
- type AnalysisServer
- type Analysis_AnalyzeClient
- type Analysis_AnalyzeServer
- type Asset
- func (*Asset) Descriptor() ([]byte, []int)deprecated
- func (x *Asset) GetAvailability() uint32
- func (x *Asset) GetConfidentiality() uint32
- func (x *Asset) GetHostnames() []string
- func (x *Asset) GetIntegrity() uint32
- func (x *Asset) GetIps() []string
- func (x *Asset) GetName() string
- func (*Asset) ProtoMessage()
- func (x *Asset) ProtoReflect() protoreflect.Message
- func (x *Asset) Reset()
- func (x *Asset) String() string
- type CELCache
- func (c *CELCache) Eval(expression string, data any, envOption ...cel.EnvOption) (bool, error)
- func (c *CELCache) Evaluate(data *string, expression string, envOption ...cel.EnvOption) (bool, error)
- func (c *CELCache) Get(cacheKey string, expression string, valuesMap map[string]interface{}, ...) (bool, error)
- type Cast
- type ComplianceValues
- type Config
- func (*Config) Descriptor() ([]byte, []int)deprecated
- func (x *Config) GetDisabledRules() []uint64
- func (x *Config) GetEnv() *Env
- func (x *Config) GetPatterns() map[string]string
- func (x *Config) GetPipeline() []*Pipeline
- func (x *Config) GetPlugins() map[string]*structpb.Value
- func (x *Config) GetTenants() []*Tenant
- func (*Config) ProtoMessage()
- func (x *Config) ProtoReflect() protoreflect.Message
- func (x *Config) Reset()
- func (x *Config) String() string
- type CorrelationClient
- type CorrelationServer
- type Csv
- func (*Csv) Descriptor() ([]byte, []int)deprecated
- func (x *Csv) GetHeaders() []string
- func (x *Csv) GetSeparator() string
- func (x *Csv) GetSource() string
- func (x *Csv) GetWhere() string
- func (*Csv) ProtoMessage()
- func (x *Csv) ProtoReflect() protoreflect.Message
- func (x *Csv) Reset()
- func (x *Csv) String() string
- type DataProcessingMessage
- type Delete
- type DiskInfo
- func (*DiskInfo) Descriptor() ([]byte, []int)deprecated
- func (x *DiskInfo) GetName() string
- func (x *DiskInfo) GetTotalSpace() uint64
- func (x *DiskInfo) GetUsedPercent() uint32
- func (*DiskInfo) ProtoMessage()
- func (x *DiskInfo) ProtoReflect() protoreflect.Message
- func (x *DiskInfo) Reset()
- func (x *DiskInfo) String() string
- type Draft
- func (*Draft) Descriptor() ([]byte, []int)deprecated
- func (x *Draft) GetErrors() []string
- func (x *Draft) GetLog() string
- func (x *Draft) GetPipeline() uint32
- func (x *Draft) GetStep() uint32
- func (*Draft) ProtoMessage()
- func (x *Draft) ProtoReflect() protoreflect.Message
- func (x *Draft) Reset()
- func (x *Draft) String() string
- type Drop
- type Dynamic
- func (*Dynamic) Descriptor() ([]byte, []int)deprecated
- func (x *Dynamic) GetParams() map[string]*structpb.Value
- func (x *Dynamic) GetPlugin() string
- func (x *Dynamic) GetWhere() string
- func (*Dynamic) ProtoMessage()
- func (x *Dynamic) ProtoReflect() protoreflect.Message
- func (x *Dynamic) Reset()
- func (x *Dynamic) String() string
- type Empty
- type EngineClient
- type EngineServer
- type Engine_InputClient
- type Engine_InputServer
- type Engine_NotifyClient
- type Engine_NotifyServer
- type Env
- func (*Env) Descriptor() ([]byte, []int)deprecated
- func (x *Env) GetLogLevel() uint32
- func (x *Env) GetMode() string
- func (x *Env) GetNodeGroups() []string
- func (x *Env) GetNodeName() string
- func (*Env) ProtoMessage()
- func (x *Env) ProtoReflect() protoreflect.Message
- func (x *Env) Reset()
- func (x *Env) String() string
- type Event
- func (*Event) Descriptor() ([]byte, []int)deprecated
- func (x *Event) GetAction() string
- func (x *Event) GetActionResult() string
- func (x *Event) GetCompliance() map[string]*ComplianceValues
- func (x *Event) GetConnectionStatus() string
- func (x *Event) GetDataSource() string
- func (x *Event) GetDataType() string
- func (x *Event) GetDeviceTime() string
- func (x *Event) GetErrors() []string
- func (x *Event) GetId() string
- func (x *Event) GetLog() map[string]*structpb.Value
- func (x *Event) GetOrigin() *Side
- func (x *Event) GetProtocol() string
- func (x *Event) GetRaw() string
- func (x *Event) GetSeverity() string
- func (x *Event) GetStatusCode() uint32
- func (x *Event) GetTarget() *Side
- func (x *Event) GetTenantId() string
- func (x *Event) GetTenantName() string
- func (x *Event) GetTimestamp() string
- func (*Event) ProtoMessage()
- func (x *Event) ProtoReflect() protoreflect.Message
- func (x *Event) Reset()
- func (x *Event) String() string
- type Expand
- type Expression
- func (*Expression) Descriptor() ([]byte, []int)deprecated
- func (x *Expression) GetField() string
- func (x *Expression) GetOperator() string
- func (x *Expression) GetValue() *structpb.Value
- func (*Expression) ProtoMessage()
- func (x *Expression) ProtoReflect() protoreflect.Message
- func (x *Expression) Reset()
- func (x *Expression) String() string
- type Geolocation
- func (*Geolocation) Descriptor() ([]byte, []int)deprecated
- func (x *Geolocation) GetAccuracy() uint32
- func (x *Geolocation) GetAsn() uint64
- func (x *Geolocation) GetAso() string
- func (x *Geolocation) GetCity() string
- func (x *Geolocation) GetCountry() string
- func (x *Geolocation) GetCountryCode() string
- func (x *Geolocation) GetLatitude() float64
- func (x *Geolocation) GetLongitude() float64
- func (*Geolocation) ProtoMessage()
- func (x *Geolocation) ProtoReflect() protoreflect.Message
- func (x *Geolocation) Reset()
- func (x *Geolocation) String() string
- type Grok
- type Impact
- func (*Impact) Descriptor() ([]byte, []int)deprecated
- func (x *Impact) GetAvailability() uint32
- func (x *Impact) GetConfidentiality() uint32
- func (x *Impact) GetIntegrity() uint32
- func (*Impact) ProtoMessage()
- func (x *Impact) ProtoReflect() protoreflect.Message
- func (x *Impact) Reset()
- func (x *Impact) String() string
- type IntegrationClient
- type IntegrationServer
- type Integration_ProcessLogClient
- type Integration_ProcessLogServer
- type Json
- type Kv
- func (*Kv) Descriptor() ([]byte, []int)deprecated
- func (x *Kv) GetFieldSplit() string
- func (x *Kv) GetSource() string
- func (x *Kv) GetValueSplit() string
- func (x *Kv) GetWhere() string
- func (*Kv) ProtoMessage()
- func (x *Kv) ProtoReflect() protoreflect.Message
- func (x *Kv) Reset()
- func (x *Kv) String() string
- type ListValue
- type Log
- func (*Log) Descriptor() ([]byte, []int)deprecated
- func (x *Log) GetDataSource() string
- func (x *Log) GetDataType() string
- func (x *Log) GetId() string
- func (x *Log) GetRaw() string
- func (x *Log) GetTenantId() string
- func (x *Log) GetTimestamp() string
- func (*Log) ProtoMessage()
- func (x *Log) ProtoReflect() protoreflect.Message
- func (x *Log) Reset()
- func (x *Log) String() string
- type Message
- func (*Message) Descriptor() ([]byte, []int)deprecated
- func (x *Message) GetId() string
- func (x *Message) GetMessage() string
- func (x *Message) GetTimestamp() string
- func (x *Message) GetTopic() string
- func (*Message) ProtoMessage()
- func (x *Message) ProtoReflect() protoreflect.Message
- func (x *Message) Reset()
- func (x *Message) String() string
- type NotificationClient
- type NotificationServer
- type NullValue
- type OutputClient
- type OutputServer
- type ParsingClient
- type ParsingServer
- type Pattern
- type Pipeline
- type Pool
- type Reformat
- func (*Reformat) Descriptor() ([]byte, []int)deprecated
- func (x *Reformat) GetFields() []string
- func (x *Reformat) GetFromFormat() string
- func (x *Reformat) GetFunction() string
- func (x *Reformat) GetToFormat() string
- func (x *Reformat) GetWhere() string
- func (*Reformat) ProtoMessage()
- func (x *Reformat) ProtoReflect() protoreflect.Message
- func (x *Reformat) Reset()
- func (x *Reformat) String() string
- type RegexpCache
- type Rename
- type Rule
- func (*Rule) Descriptor() ([]byte, []int)deprecated
- func (x *Rule) GetAdversary() string
- func (x *Rule) GetAfterEvents() []*SearchRequest
- func (x *Rule) GetCategory() string
- func (x *Rule) GetCorrelation() []*SearchRequest
- func (x *Rule) GetDataTypes() []string
- func (x *Rule) GetDeduplicateBy() []string
- func (x *Rule) GetDescription() string
- func (x *Rule) GetGroupBy() []string
- func (x *Rule) GetId() uint64
- func (x *Rule) GetImpact() *Impact
- func (x *Rule) GetName() string
- func (x *Rule) GetReferences() []string
- func (x *Rule) GetTechnique() string
- func (x *Rule) GetWhere() string
- func (r *Rule) Normalize()
- func (*Rule) ProtoMessage()
- func (x *Rule) ProtoReflect() protoreflect.Message
- func (x *Rule) Reset()
- func (x *Rule) String() string
- type SearchRequest
- func (*SearchRequest) Descriptor() ([]byte, []int)deprecated
- func (e *SearchRequest) Execute(previous *string) (bool, []sdkos.Hit, error)
- func (x *SearchRequest) GetCount() uint64
- func (x *SearchRequest) GetIndexPattern() string
- func (x *SearchRequest) GetOr() []*SearchRequest
- func (x *SearchRequest) GetWith() []*Expression
- func (x *SearchRequest) GetWithin() string
- func (*SearchRequest) ProtoMessage()
- func (x *SearchRequest) ProtoReflect() protoreflect.Message
- func (x *SearchRequest) Reset()
- func (x *SearchRequest) String() string
- type Side
- func (*Side) Descriptor() ([]byte, []int)deprecated
- func (x *Side) GetAuthentihash() string
- func (x *Side) GetBase64() string
- func (x *Side) GetBytesReceived() float64
- func (x *Side) GetBytesSent() float64
- func (x *Side) GetCdhash() string
- func (x *Side) GetCertificateFingerprint() string
- func (x *Side) GetChromeExtension() string
- func (x *Side) GetCidr() string
- func (x *Side) GetCommand() string
- func (x *Side) GetConnections() uint64
- func (x *Side) GetCookie() string
- func (x *Side) GetCpe() string
- func (x *Side) GetCve() string
- func (x *Side) GetDisks() []*DiskInfo
- func (x *Side) GetDkim() string
- func (x *Side) GetDkimSignature() string
- func (x *Side) GetDomain() string
- func (x *Side) GetEmail() string
- func (x *Side) GetEmailAddress() string
- func (x *Side) GetEmailBody() string
- func (x *Side) GetEmailDisplayName() string
- func (x *Side) GetEmailSubject() string
- func (x *Side) GetEmailThreadIndex() string
- func (x *Side) GetEmailXMailer() string
- func (x *Side) GetFile() string
- func (x *Side) GetFilename() string
- func (x *Side) GetGeolocation() *Geolocation
- func (x *Side) GetGroup() string
- func (x *Side) GetHash() string
- func (x *Side) GetHex() string
- func (x *Side) GetHost() string
- func (x *Side) GetIp() string
- func (x *Side) GetJa3Fingerprint() string
- func (x *Side) GetJabberId() string
- func (x *Side) GetJarmFingerprint() string
- func (x *Side) GetMac() string
- func (x *Side) GetMalware() string
- func (x *Side) GetMalwareFamily() string
- func (x *Side) GetMalwareType() string
- func (x *Side) GetMd5() string
- func (x *Side) GetMimeType() string
- func (x *Side) GetMobileAppId() string
- func (x *Side) GetOperatingSystem() string
- func (x *Side) GetPackagesReceived() uint64
- func (x *Side) GetPackagesSent() uint64
- func (x *Side) GetPath() string
- func (x *Side) GetPgpPrivateKey() string
- func (x *Side) GetPgpPublicKey() string
- func (x *Side) GetPort() uint32
- func (x *Side) GetProcess() string
- func (x *Side) GetProcessState() string
- func (x *Side) GetSha1() string
- func (x *Side) GetSha224() string
- func (x *Side) GetSha256() string
- func (x *Side) GetSha384() string
- func (x *Side) GetSha512() string
- func (x *Side) GetSha3224() string
- func (x *Side) GetSha3256() string
- func (x *Side) GetSha3384() string
- func (x *Side) GetSha3512() string
- func (x *Side) GetSha512224() string
- func (x *Side) GetSha512256() string
- func (x *Side) GetSizeInBytes() string
- func (x *Side) GetSshBanner() string
- func (x *Side) GetSshFingerprint() string
- func (x *Side) GetTotalCpuUnits() uint32
- func (x *Side) GetTotalMem() uint64
- func (x *Side) GetUrl() string
- func (x *Side) GetUsedCpuPercent() uint32
- func (x *Side) GetUsedMemPercent() uint32
- func (x *Side) GetUser() string
- func (x *Side) GetWhoisRegistrant() string
- func (x *Side) GetWhoisRegistrar() string
- func (x *Side) GetWindowsScheduledTask() string
- func (x *Side) GetWindowsServiceDisplayName() string
- func (x *Side) GetWindowsServiceName() string
- func (*Side) ProtoMessage()
- func (x *Side) ProtoReflect() protoreflect.Message
- func (x *Side) Reset()
- func (x *Side) String() string
- type SocketType
- type Step
- func (*Step) Descriptor() ([]byte, []int)deprecated
- func (x *Step) GetAdd() *Add
- func (x *Step) GetCast() *Cast
- func (x *Step) GetCsv() *Csv
- func (x *Step) GetDelete() *Delete
- func (x *Step) GetDrop() *Drop
- func (x *Step) GetDynamic() *Dynamic
- func (x *Step) GetGrok() *Grok
- func (x *Step) GetJson() *Json
- func (x *Step) GetKv() *Kv
- func (x *Step) GetReformat() *Reformat
- func (x *Step) GetRename() *Rename
- func (x *Step) GetTrim() *Trim
- func (*Step) ProtoMessage()
- func (x *Step) ProtoReflect() protoreflect.Message
- func (x *Step) Reset()
- func (x *Step) String() string
- type Struct
- type Tenant
- func (*Tenant) Descriptor() ([]byte, []int)deprecated
- func (x *Tenant) GetAssets() []*Asset
- func (x *Tenant) GetDisabledRules() []uint64
- func (x *Tenant) GetId() string
- func (x *Tenant) GetName() string
- func (*Tenant) ProtoMessage()
- func (x *Tenant) ProtoReflect() protoreflect.Message
- func (x *Tenant) Reset()
- func (x *Tenant) String() string
- type Topic
- type Transform
- type Trim
- func (*Trim) Descriptor() ([]byte, []int)deprecated
- func (x *Trim) GetFields() []string
- func (x *Trim) GetFunction() string
- func (x *Trim) GetSubstring() string
- func (x *Trim) GetWhere() string
- func (*Trim) ProtoMessage()
- func (x *Trim) ProtoReflect() protoreflect.Message
- func (x *Trim) Reset()
- func (x *Trim) String() string
- type UnimplementedAnalysisServer
- type UnimplementedCorrelationServer
- type UnimplementedEngineServer
- type UnimplementedIntegrationServer
- type UnimplementedNotificationServer
- type UnimplementedOutputServer
- type UnimplementedParsingServer
- type UnsafeAnalysisServer
- type UnsafeCorrelationServer
- type UnsafeEngineServer
- type UnsafeIntegrationServer
- type UnsafeNotificationServer
- type UnsafeOutputServer
- type UnsafeParsingServer
- type Value
- type Value_BoolValue
- type Value_ListValue
- type Value_NullValue
- type Value_NumberValue
- type Value_StringValue
- type Value_StructValue
- type Variable
- func (*Variable) Descriptor() ([]byte, []int)deprecated
- func (x *Variable) GetAs() string
- func (x *Variable) GetGet() string
- func (x *Variable) GetOfType() string
- func (*Variable) ProtoMessage()
- func (x *Variable) ProtoReflect() protoreflect.Message
- func (x *Variable) Reset()
- func (x *Variable) String() string
Constants ΒΆ
View Source
const NullValue_NULL_VALUE = structpb.NullValue_NULL_VALUE
Variables ΒΆ
View Source
var File_plugins_proto protoreflect.FileDescriptor
View Source
var NullValue_name = structpb.NullValue_name
View Source
var NullValue_value = structpb.NullValue_value
View Source
var WorkDir = func() string { workDir := os.Getenv("WORK_DIR") if workDir == "" { workDir = "/workdir" } return workDir }() // This cannot be part of the main config system because the main config system depends on it to find the configuration files
WorkDir is the folder on which the EventProcessor and all plugins are going to store their configuration files and temporary data
Functions ΒΆ
func AcquireLock ΒΆ added in v1.0.22
AcquireLock tries to acquire the lock file to prevent race conditions when loading or modifying configurations. It returns true if the lock was acquired successfully, false otherwise.
func EnqueueLog ΒΆ added in v1.0.2
EnqueueLog sends a log to the local logs queue. Parameters:
- log: The log to enqueue
func EnqueueNotification ΒΆ added in v1.0.0
EnqueueNotification sends a notification message to a specified topic. It marshals the NotificationMessage into JSON format and sends it to the notification channel.
Parameters:
- topic: The topic to which the notification message will be sent.
- message: The notification message to be sent. Must be a JSON serializable object.
Returns:
- error: Returns an error if the message marshaling fails, otherwise returns nil.
func GetOrderedSockets ΒΆ added in v1.0.33
func GetOrderedSockets(t SocketType) []string
GetOrderedSockets returns an ordered list of socket file paths for the given socket type, based on the plugin order specified in configuration (env/config). If no configuration is present, an empty list is returned.
func GetParsingSockets ΒΆ added in v1.0.33
GetParsingSockets scans the sockets directory and returns a map of parsing plugin names to their corresponding socket file paths.
func GetPluginName ΒΆ added in v1.0.33
GetPluginName extracts the base plugin name from a full path using the given separator. For example, given "/workdir/sockets/my-plugin_parsing.sock" and sep "_", it returns "my-plugin".
Params:
- fullPath: full file path or identifier that contains the plugin name.
- sep: separator used to split suffixes (e.g., "_parsing", "_analysis").
Returns:
- string: the plugin name without suffixes or extensions.
func InitAnalysisPlugin ΒΆ added in v1.0.50
func InitAnalysisPlugin(name string, analysisFunction func(*Event, Analysis_AnalyzeServer) error) error
InitAnalysisPlugin initializes a gRPC-based analysis plugin with a specified name and analysis function. It sets up a UNIX socket, handles lifecycle events, and manages graceful shutdowns upon termination signals. Locks until shutdown is complete or an error occurs.
func InitCorrelationPlugin ΒΆ added in v1.0.50
func InitCorrelationPlugin(name string, correlationFunction func(ctx context.Context, alert *Alert) (*emptypb.Empty, error)) error
InitCorrelationPlugin initializes a correlation plugin with a given name and correlation function for gRPC communication. It sets up a Unix socket, creates a gRPC server, and handles lifecycle management, including shutdown and cleanup. Locks until shutdown is complete or an error occurs.
func InitNotificationPlugin ΒΆ added in v1.0.50
func InitNotificationPlugin(name string, notificationFunction func(ctx context.Context, message *Message) (*emptypb.Empty, error)) error
InitNotificationPlugin initializes a gRPC-based notification plugin with a specified name and notification function. It sets up a UNIX socket, handles lifecycle events, and manages graceful shutdowns upon termination signals. Locks until shutdown is complete or an error occurs.
func InitParsingPlugin ΒΆ added in v1.0.50
func InitParsingPlugin(name string, parsingFunction func(context.Context, *Transform) (*Draft, error)) error
InitParsingPlugin initializes a gRPC parsing plugin with a provided name and parsing function for Transform objects. It sets up a Unix socket for communication and supports graceful shutdown upon system signals or errors. Locks until shutdown is complete or an error occurs.
func PluginCfg ΒΆ added in v1.0.0
PluginCfg retrieves the configuration for a specified plugin by name and unmarshal it into the provided type. The function returns a pointer to the configuration of the specified type and a pointer to an error if any error occurs.
Parameters:
pluginName: The name of the plugin whose configuration is to be retrieved. wait: A boolean value that determines whether the function should wait for the configuration to be available.
Returns:
gjson.Result: An object containing the configuration of the specified plugin.
func RandomDuration ΒΆ added in v1.0.23
RandomDuration returns a random time.Duration between min and max seconds. It panics if max <= 0.
func RegisterAnalysisServer ΒΆ added in v0.2.5
func RegisterAnalysisServer(s *grpc.Server, srv AnalysisServer)
func RegisterCorrelationServer ΒΆ added in v0.2.5
func RegisterCorrelationServer(s *grpc.Server, srv CorrelationServer)
func RegisterEngineServer ΒΆ added in v0.2.5
func RegisterEngineServer(s *grpc.Server, srv EngineServer)
func RegisterIntegrationServer ΒΆ added in v0.2.3
func RegisterIntegrationServer(s *grpc.Server, srv IntegrationServer)
func RegisterNotificationServer ΒΆ added in v0.2.5
func RegisterNotificationServer(s *grpc.Server, srv NotificationServer)
func RegisterOutputServer ΒΆ added in v1.0.0
func RegisterOutputServer(s *grpc.Server, srv OutputServer)
func RegisterParsingServer ΒΆ added in v0.2.5
func RegisterParsingServer(s *grpc.Server, srv ParsingServer)
func SendLogsFromChannel ΒΆ added in v1.0.2
func SendLogsFromChannel(pluginName string)
SendLogsFromChannel listens to the logsChannel and sends logs to the engine server via gRPC. It logs an error if the connection to the engine server fails, if sending a notification fails, or if receiving an acknowledgment fails. It runs indefinitely and should be run as a goroutine.
func SendNotificationsFromChannel ΒΆ added in v1.0.0
func SendNotificationsFromChannel(pluginName string)
SendNotificationsFromChannel listens to the notificationsChannel and sends notifications to the engine server via gRPC. It logs an error if the connection to the engine server fails, if sending a notification fails, or if receiving an acknowledgment fails. It runs indefinitely and should be run as a goroutine.
Types ΒΆ
type Ack ΒΆ
type Ack struct {
LastId string `protobuf:"bytes,1,opt,name=lastId,proto3" json:"lastId,omitempty"`
// contains filtered or unexported fields
}
func (*Ack) Descriptor
deprecated
func (*Ack) ProtoMessage ΒΆ
func (*Ack) ProtoMessage()
func (*Ack) ProtoReflect ΒΆ
func (x *Ack) ProtoReflect() protoreflect.Message
type Add ΒΆ added in v1.0.0
type Add struct {
Function string `protobuf:"bytes,1,opt,name=function,proto3" json:"function,omitempty"`
Params map[string]*structpb.Value `` /* 153-byte string literal not displayed */
Where string `protobuf:"bytes,3,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Add) Descriptor
deprecated
added in
v1.0.0
func (*Add) GetFunction ΒΆ added in v1.0.0
func (*Add) ProtoMessage ΒΆ added in v1.0.0
func (*Add) ProtoMessage()
func (*Add) ProtoReflect ΒΆ added in v1.0.0
func (x *Add) ProtoReflect() protoreflect.Message
type Alert ΒΆ
type Alert struct {
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Timestamp string `protobuf:"bytes,2,opt,name=timestamp,json=@timestamp,proto3" json:"timestamp,omitempty"`
LastUpdate string `protobuf:"bytes,3,opt,name=lastUpdate,proto3" json:"lastUpdate,omitempty"`
Name string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
TenantId string `protobuf:"bytes,5,opt,name=tenantId,proto3" json:"tenantId,omitempty"`
TenantName string `protobuf:"bytes,6,opt,name=tenantName,proto3" json:"tenantName,omitempty"`
DataSource string `protobuf:"bytes,7,opt,name=dataSource,proto3" json:"dataSource,omitempty"`
DataType string `protobuf:"bytes,8,opt,name=dataType,proto3" json:"dataType,omitempty"`
Category string `protobuf:"bytes,9,opt,name=category,proto3" json:"category,omitempty"`
Technique string `protobuf:"bytes,10,opt,name=technique,proto3" json:"technique,omitempty"`
Description string `protobuf:"bytes,11,opt,name=description,proto3" json:"description,omitempty"`
References []string `protobuf:"bytes,12,rep,name=references,proto3" json:"references,omitempty"`
Impact *Impact `protobuf:"bytes,13,opt,name=impact,proto3" json:"impact,omitempty"`
ImpactScore uint32 `protobuf:"varint,14,opt,name=impactScore,proto3" json:"impactScore,omitempty"`
Severity string `protobuf:"bytes,15,opt,name=severity,proto3" json:"severity,omitempty"`
Adversary *Side `protobuf:"bytes,16,opt,name=adversary,proto3" json:"adversary,omitempty"`
Target *Side `protobuf:"bytes,17,opt,name=target,proto3" json:"target,omitempty"`
Events []*Event `protobuf:"bytes,18,rep,name=events,proto3" json:"events,omitempty"`
DeduplicateBy []string `protobuf:"bytes,19,rep,name=deduplicateBy,proto3" json:"deduplicateBy,omitempty"`
Errors []string `protobuf:"bytes,20,rep,name=errors,proto3" json:"errors,omitempty"`
ParentId string `protobuf:"bytes,21,opt,name=parentId,proto3" json:"parentId,omitempty"`
GroupBy []string `protobuf:"bytes,22,rep,name=groupBy,proto3" json:"groupBy,omitempty"`
// contains filtered or unexported fields
}
func (*Alert) Descriptor
deprecated
func (*Alert) GetAdversary ΒΆ
func (*Alert) GetCategory ΒΆ
func (*Alert) GetDataSource ΒΆ
func (*Alert) GetDataType ΒΆ
func (*Alert) GetDeduplicateBy ΒΆ added in v1.0.13
func (*Alert) GetDescription ΒΆ
func (*Alert) GetGroupBy ΒΆ added in v1.1.6
func (*Alert) GetImpactScore ΒΆ
func (*Alert) GetLastUpdate ΒΆ
func (*Alert) GetParentId ΒΆ added in v1.1.6
func (*Alert) GetReferences ΒΆ
func (*Alert) GetSeverity ΒΆ
func (*Alert) GetTechnique ΒΆ
func (*Alert) GetTenantId ΒΆ
func (*Alert) GetTenantName ΒΆ
func (*Alert) GetTimestamp ΒΆ
func (*Alert) ProtoMessage ΒΆ
func (*Alert) ProtoMessage()
func (*Alert) ProtoReflect ΒΆ
func (x *Alert) ProtoReflect() protoreflect.Message
type AnalysisClient ΒΆ added in v0.2.5
type AnalysisClient interface {
Analyze(ctx context.Context, in *Event, opts ...grpc.CallOption) (Analysis_AnalyzeClient, error)
}
AnalysisClient is the client API for Analysis service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewAnalysisClient ΒΆ added in v0.2.5
func NewAnalysisClient(cc grpc.ClientConnInterface) AnalysisClient
type AnalysisServer ΒΆ added in v0.2.5
type AnalysisServer interface {
Analyze(*Event, Analysis_AnalyzeServer) error
// contains filtered or unexported methods
}
AnalysisServer is the server API for Analysis service. All implementations must embed UnimplementedAnalysisServer for forward compatibility
type Analysis_AnalyzeClient ΒΆ added in v1.0.0
type Analysis_AnalyzeClient interface {
Recv() (*Alert, error)
grpc.ClientStream
}
type Analysis_AnalyzeServer ΒΆ added in v1.0.0
type Analysis_AnalyzeServer interface {
Send(*Alert) error
grpc.ServerStream
}
type Asset ΒΆ added in v1.0.0
type Asset struct {
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
Hostnames []string `protobuf:"bytes,2,rep,name=hostnames,proto3" json:"hostnames,omitempty"`
Ips []string `protobuf:"bytes,3,rep,name=ips,proto3" json:"ips,omitempty"`
Confidentiality uint32 `protobuf:"varint,4,opt,name=confidentiality,proto3" json:"confidentiality,omitempty"`
Availability uint32 `protobuf:"varint,5,opt,name=availability,proto3" json:"availability,omitempty"`
Integrity uint32 `protobuf:"varint,6,opt,name=integrity,proto3" json:"integrity,omitempty"`
// contains filtered or unexported fields
}
func (*Asset) Descriptor
deprecated
added in
v1.0.0
func (*Asset) GetAvailability ΒΆ added in v1.0.0
func (*Asset) GetConfidentiality ΒΆ added in v1.0.0
func (*Asset) GetHostnames ΒΆ added in v1.0.0
func (*Asset) GetIntegrity ΒΆ added in v1.0.0
func (*Asset) ProtoMessage ΒΆ added in v1.0.0
func (*Asset) ProtoMessage()
func (*Asset) ProtoReflect ΒΆ added in v1.0.0
func (x *Asset) ProtoReflect() protoreflect.Message
type CELCache ΒΆ added in v1.1.0
type CELCache struct {
// contains filtered or unexported fields
}
CELCache provides a thread-safe cache for compiled CEL (Common Expression Language) programs. It uses an LRU cache to store and reuse programs to optimize evaluation performance.
func NewCELCache ΒΆ added in v1.1.0
NewCELCache creates and returns a new instance of CELCache for the specified process.
func (*CELCache) Eval ΒΆ added in v1.1.6
Eval evaluates a CEL expression against the given data and returns the boolean result if successful. 'data' can be a proto.Message, a JSON string (or *string), or a map[string]any.
func (*CELCache) Evaluate ΒΆ added in v1.1.0
func (c *CELCache) Evaluate(data *string, expression string, envOption ...cel.EnvOption) (bool, error)
Evaluate is a wrapper around Eval for backward compatibility. Note: It uses (data, expression) order while Eval uses (expression, data).
func (*CELCache) Get ΒΆ added in v1.1.0
func (c *CELCache) Get(cacheKey string, expression string, valuesMap map[string]interface{}, envOption ...cel.EnvOption) (bool, error)
Get retrieves a compiled CEL program from the cache or compiles it if not present. It then executes the program with the provided valuesMap and returns the result.
type Cast ΒΆ added in v1.0.0
type Cast struct {
To string `protobuf:"bytes,1,opt,name=to,proto3" json:"to,omitempty"`
Fields []string `protobuf:"bytes,2,rep,name=fields,proto3" json:"fields,omitempty"`
Where string `protobuf:"bytes,3,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Cast) Descriptor
deprecated
added in
v1.0.0
func (*Cast) ProtoMessage ΒΆ added in v1.0.0
func (*Cast) ProtoMessage()
func (*Cast) ProtoReflect ΒΆ added in v1.0.0
func (x *Cast) ProtoReflect() protoreflect.Message
type ComplianceValues ΒΆ added in v1.0.46
type ComplianceValues struct {
Values []string `protobuf:"bytes,1,rep,name=values,proto3" json:"values,omitempty"`
// contains filtered or unexported fields
}
func (*ComplianceValues) Descriptor
deprecated
added in
v1.0.46
func (*ComplianceValues) Descriptor() ([]byte, []int)
Deprecated: Use ComplianceValues.ProtoReflect.Descriptor instead.
func (*ComplianceValues) GetValues ΒΆ added in v1.0.46
func (x *ComplianceValues) GetValues() []string
func (*ComplianceValues) ProtoMessage ΒΆ added in v1.0.46
func (*ComplianceValues) ProtoMessage()
func (*ComplianceValues) ProtoReflect ΒΆ added in v1.0.46
func (x *ComplianceValues) ProtoReflect() protoreflect.Message
func (*ComplianceValues) Reset ΒΆ added in v1.0.46
func (x *ComplianceValues) Reset()
func (*ComplianceValues) String ΒΆ added in v1.0.46
func (x *ComplianceValues) String() string
type Config ΒΆ added in v1.0.0
type Config struct {
Pipeline []*Pipeline `protobuf:"bytes,1,rep,name=pipeline,proto3" json:"pipeline,omitempty"`
DisabledRules []uint64 `protobuf:"varint,2,rep,packed,name=disabledRules,proto3" json:"disabledRules,omitempty"`
Tenants []*Tenant `protobuf:"bytes,3,rep,name=tenants,proto3" json:"tenants,omitempty"`
Patterns map[string]string `` /* 157-byte string literal not displayed */
Plugins map[string]*structpb.Value `` /* 155-byte string literal not displayed */
Env *Env `protobuf:"bytes,6,opt,name=env,proto3" json:"env,omitempty"`
// contains filtered or unexported fields
}
func GetCfg ΒΆ added in v1.0.0
GetCfg initializes the configuration if it hasn't been initialized yet, and starts a goroutine to periodically update the configuration every 60 seconds. It waits for the initial configuration to be set before returning it. The function returns a pointer to the Config struct.
func (*Config) Descriptor
deprecated
added in
v1.0.0
func (*Config) GetDisabledRules ΒΆ added in v1.0.0
func (*Config) GetPatterns ΒΆ added in v1.0.0
func (*Config) GetPipeline ΒΆ added in v1.0.0
func (*Config) GetPlugins ΒΆ added in v1.0.0
func (*Config) GetTenants ΒΆ added in v1.0.0
func (*Config) ProtoMessage ΒΆ added in v1.0.0
func (*Config) ProtoMessage()
func (*Config) ProtoReflect ΒΆ added in v1.0.0
func (x *Config) ProtoReflect() protoreflect.Message
type CorrelationClient ΒΆ added in v0.2.5
type CorrelationClient interface {
Correlate(ctx context.Context, in *Alert, opts ...grpc.CallOption) (*emptypb.Empty, error)
}
CorrelationClient is the client API for Correlation service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewCorrelationClient ΒΆ added in v0.2.5
func NewCorrelationClient(cc grpc.ClientConnInterface) CorrelationClient
type CorrelationServer ΒΆ added in v0.2.5
type CorrelationServer interface {
Correlate(context.Context, *Alert) (*emptypb.Empty, error)
// contains filtered or unexported methods
}
CorrelationServer is the server API for Correlation service. All implementations must embed UnimplementedCorrelationServer for forward compatibility
type Csv ΒΆ added in v1.0.0
type Csv struct {
Source string `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
Separator string `protobuf:"bytes,2,opt,name=separator,proto3" json:"separator,omitempty"`
Headers []string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty"`
Where string `protobuf:"bytes,4,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Csv) Descriptor
deprecated
added in
v1.0.0
func (*Csv) GetHeaders ΒΆ added in v1.0.0
func (*Csv) GetSeparator ΒΆ added in v1.0.0
func (*Csv) ProtoMessage ΒΆ added in v1.0.0
func (*Csv) ProtoMessage()
func (*Csv) ProtoReflect ΒΆ added in v1.0.0
func (x *Csv) ProtoReflect() protoreflect.Message
type DataProcessingMessage ΒΆ added in v1.0.0
type DataProcessingMessage struct {
DataType string `json:"dataType"`
DataSource string `json:"dataSource"`
}
DataProcessingMessage represent the details of a success or failure during the processing of a log. Used as a message body for notifications.
type Delete ΒΆ added in v1.0.0
type Delete struct {
Fields []string `protobuf:"bytes,1,rep,name=fields,proto3" json:"fields,omitempty"`
Where string `protobuf:"bytes,2,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Delete) Descriptor
deprecated
added in
v1.0.0
func (*Delete) ProtoMessage ΒΆ added in v1.0.0
func (*Delete) ProtoMessage()
func (*Delete) ProtoReflect ΒΆ added in v1.0.0
func (x *Delete) ProtoReflect() protoreflect.Message
type DiskInfo ΒΆ added in v1.0.36
type DiskInfo struct {
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
TotalSpace uint64 `protobuf:"varint,2,opt,name=totalSpace,proto3" json:"totalSpace,omitempty"`
UsedPercent uint32 `protobuf:"varint,3,opt,name=usedPercent,proto3" json:"usedPercent,omitempty"`
// contains filtered or unexported fields
}
func (*DiskInfo) Descriptor
deprecated
added in
v1.0.36
func (*DiskInfo) GetTotalSpace ΒΆ added in v1.0.36
func (*DiskInfo) GetUsedPercent ΒΆ added in v1.0.36
func (*DiskInfo) ProtoMessage ΒΆ added in v1.0.36
func (*DiskInfo) ProtoMessage()
func (*DiskInfo) ProtoReflect ΒΆ added in v1.0.36
func (x *DiskInfo) ProtoReflect() protoreflect.Message
type Draft ΒΆ added in v1.0.0
type Draft struct {
Log string `protobuf:"bytes,1,opt,name=log,proto3" json:"log,omitempty"`
Step uint32 `protobuf:"varint,2,opt,name=step,proto3" json:"step,omitempty"`
Pipeline uint32 `protobuf:"varint,3,opt,name=pipeline,proto3" json:"pipeline,omitempty"`
Errors []string `protobuf:"bytes,4,rep,name=errors,proto3" json:"errors,omitempty"`
// contains filtered or unexported fields
}
func (*Draft) Descriptor
deprecated
added in
v1.0.0
func (*Draft) GetPipeline ΒΆ added in v1.0.36
func (*Draft) ProtoMessage ΒΆ added in v1.0.0
func (*Draft) ProtoMessage()
func (*Draft) ProtoReflect ΒΆ added in v1.0.0
func (x *Draft) ProtoReflect() protoreflect.Message
type Drop ΒΆ added in v1.0.0
type Drop struct {
Where string `protobuf:"bytes,1,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Drop) Descriptor
deprecated
added in
v1.0.0
func (*Drop) ProtoMessage ΒΆ added in v1.0.0
func (*Drop) ProtoMessage()
func (*Drop) ProtoReflect ΒΆ added in v1.0.0
func (x *Drop) ProtoReflect() protoreflect.Message
type Dynamic ΒΆ added in v1.0.0
type Dynamic struct {
Plugin string `protobuf:"bytes,1,opt,name=plugin,proto3" json:"plugin,omitempty"`
Params map[string]*structpb.Value `` /* 153-byte string literal not displayed */
Where string `protobuf:"bytes,3,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Dynamic) Descriptor
deprecated
added in
v1.0.0
func (*Dynamic) ProtoMessage ΒΆ added in v1.0.0
func (*Dynamic) ProtoMessage()
func (*Dynamic) ProtoReflect ΒΆ added in v1.0.0
func (x *Dynamic) ProtoReflect() protoreflect.Message
type EngineClient ΒΆ added in v0.2.5
type EngineClient interface {
Input(ctx context.Context, opts ...grpc.CallOption) (Engine_InputClient, error)
Notify(ctx context.Context, opts ...grpc.CallOption) (Engine_NotifyClient, error)
}
EngineClient is the client API for Engine service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewEngineClient ΒΆ added in v0.2.5
func NewEngineClient(cc grpc.ClientConnInterface) EngineClient
type EngineServer ΒΆ added in v0.2.5
type EngineServer interface {
Input(Engine_InputServer) error
Notify(Engine_NotifyServer) error
// contains filtered or unexported methods
}
EngineServer is the server API for Engine service. All implementations must embed UnimplementedEngineServer for forward compatibility
type Engine_InputClient ΒΆ added in v0.2.5
type Engine_InputServer ΒΆ added in v0.2.5
type Engine_NotifyClient ΒΆ added in v0.2.5
type Engine_NotifyServer ΒΆ added in v0.2.5
type Env ΒΆ added in v1.0.0
type Env struct {
NodeName string `protobuf:"bytes,1,opt,name=nodeName,proto3" json:"nodeName,omitempty"`
NodeGroups []string `protobuf:"bytes,2,rep,name=nodeGroups,proto3" json:"nodeGroups,omitempty"`
LogLevel uint32 `protobuf:"varint,4,opt,name=logLevel,proto3" json:"logLevel,omitempty"`
Mode string `protobuf:"bytes,5,opt,name=mode,proto3" json:"mode,omitempty"`
// contains filtered or unexported fields
}
func (*Env) Descriptor
deprecated
added in
v1.0.0
func (*Env) GetLogLevel ΒΆ added in v1.0.0
func (*Env) GetNodeGroups ΒΆ added in v1.0.0
func (*Env) GetNodeName ΒΆ added in v1.0.0
func (*Env) ProtoMessage ΒΆ added in v1.0.0
func (*Env) ProtoMessage()
func (*Env) ProtoReflect ΒΆ added in v1.0.0
func (x *Env) ProtoReflect() protoreflect.Message
type Event ΒΆ
type Event struct {
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Timestamp string `protobuf:"bytes,2,opt,name=timestamp,json=@timestamp,proto3" json:"timestamp,omitempty"`
DeviceTime string `protobuf:"bytes,3,opt,name=deviceTime,proto3" json:"deviceTime,omitempty"`
DataType string `protobuf:"bytes,4,opt,name=dataType,proto3" json:"dataType,omitempty"`
DataSource string `protobuf:"bytes,5,opt,name=dataSource,proto3" json:"dataSource,omitempty"`
TenantId string `protobuf:"bytes,6,opt,name=tenantId,proto3" json:"tenantId,omitempty"`
TenantName string `protobuf:"bytes,7,opt,name=tenantName,proto3" json:"tenantName,omitempty"`
Raw string `protobuf:"bytes,8,opt,name=raw,proto3" json:"raw,omitempty"`
Log map[string]*structpb.Value `` /* 147-byte string literal not displayed */
Target *Side `protobuf:"bytes,10,opt,name=target,proto3" json:"target,omitempty"`
Origin *Side `protobuf:"bytes,11,opt,name=origin,proto3" json:"origin,omitempty"`
Protocol string `protobuf:"bytes,12,opt,name=protocol,proto3" json:"protocol,omitempty"`
ConnectionStatus string `protobuf:"bytes,13,opt,name=connectionStatus,proto3" json:"connectionStatus,omitempty"`
StatusCode uint32 `protobuf:"varint,14,opt,name=statusCode,proto3" json:"statusCode,omitempty"`
ActionResult string `protobuf:"bytes,15,opt,name=actionResult,proto3" json:"actionResult,omitempty"`
Action string `protobuf:"bytes,16,opt,name=action,proto3" json:"action,omitempty"`
Severity string `protobuf:"bytes,17,opt,name=severity,proto3" json:"severity,omitempty"`
Errors []string `protobuf:"bytes,18,rep,name=errors,proto3" json:"errors,omitempty"`
Compliance map[string]*ComplianceValues `` /* 162-byte string literal not displayed */
// contains filtered or unexported fields
}
func (*Event) Descriptor
deprecated
func (*Event) GetActionResult ΒΆ added in v0.4.6
func (*Event) GetCompliance ΒΆ added in v1.0.46
func (x *Event) GetCompliance() map[string]*ComplianceValues
func (*Event) GetConnectionStatus ΒΆ
func (*Event) GetDataSource ΒΆ
func (*Event) GetDataType ΒΆ
func (*Event) GetDeviceTime ΒΆ
func (*Event) GetProtocol ΒΆ
func (*Event) GetSeverity ΒΆ added in v1.0.0
func (*Event) GetStatusCode ΒΆ
func (*Event) GetTenantId ΒΆ
func (*Event) GetTenantName ΒΆ
func (*Event) GetTimestamp ΒΆ
func (*Event) ProtoMessage ΒΆ
func (*Event) ProtoMessage()
func (*Event) ProtoReflect ΒΆ
func (x *Event) ProtoReflect() protoreflect.Message
type Expand ΒΆ added in v1.0.0
type Expand struct {
Source string `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
To string `protobuf:"bytes,2,opt,name=to,proto3" json:"to,omitempty"`
Where string `protobuf:"bytes,3,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Expand) Descriptor
deprecated
added in
v1.0.0
func (*Expand) ProtoMessage ΒΆ added in v1.0.0
func (*Expand) ProtoMessage()
func (*Expand) ProtoReflect ΒΆ added in v1.0.0
func (x *Expand) ProtoReflect() protoreflect.Message
type Expression ΒΆ added in v1.1.6
type Expression struct {
Field string `protobuf:"bytes,1,opt,name=field,proto3" json:"field,omitempty"`
Operator string `protobuf:"bytes,2,opt,name=operator,proto3" json:"operator,omitempty"`
Value *structpb.Value `protobuf:"bytes,3,opt,name=value,proto3" json:"value,omitempty"`
// contains filtered or unexported fields
}
func (*Expression) Descriptor
deprecated
added in
v1.1.6
func (*Expression) Descriptor() ([]byte, []int)
Deprecated: Use Expression.ProtoReflect.Descriptor instead.
func (*Expression) GetField ΒΆ added in v1.1.6
func (x *Expression) GetField() string
func (*Expression) GetOperator ΒΆ added in v1.1.6
func (x *Expression) GetOperator() string
func (*Expression) GetValue ΒΆ added in v1.1.6
func (x *Expression) GetValue() *structpb.Value
func (*Expression) ProtoMessage ΒΆ added in v1.1.6
func (*Expression) ProtoMessage()
func (*Expression) ProtoReflect ΒΆ added in v1.1.6
func (x *Expression) ProtoReflect() protoreflect.Message
func (*Expression) Reset ΒΆ added in v1.1.6
func (x *Expression) Reset()
func (*Expression) String ΒΆ added in v1.1.6
func (x *Expression) String() string
type Geolocation ΒΆ
type Geolocation struct {
Country string `protobuf:"bytes,1,opt,name=country,proto3" json:"country,omitempty"`
City string `protobuf:"bytes,2,opt,name=city,proto3" json:"city,omitempty"`
Latitude float64 `protobuf:"fixed64,3,opt,name=latitude,proto3" json:"latitude,omitempty"`
Longitude float64 `protobuf:"fixed64,4,opt,name=longitude,proto3" json:"longitude,omitempty"`
Asn uint64 `protobuf:"varint,5,opt,name=asn,proto3" json:"asn,omitempty"`
Aso string `protobuf:"bytes,6,opt,name=aso,proto3" json:"aso,omitempty"`
CountryCode string `protobuf:"bytes,7,opt,name=countryCode,proto3" json:"countryCode,omitempty"`
Accuracy uint32 `protobuf:"varint,8,opt,name=accuracy,proto3" json:"accuracy,omitempty"`
// contains filtered or unexported fields
}
func (*Geolocation) Descriptor
deprecated
func (*Geolocation) Descriptor() ([]byte, []int)
Deprecated: Use Geolocation.ProtoReflect.Descriptor instead.
func (*Geolocation) GetAccuracy ΒΆ added in v0.4.1
func (x *Geolocation) GetAccuracy() uint32
func (*Geolocation) GetAsn ΒΆ
func (x *Geolocation) GetAsn() uint64
func (*Geolocation) GetAso ΒΆ
func (x *Geolocation) GetAso() string
func (*Geolocation) GetCity ΒΆ
func (x *Geolocation) GetCity() string
func (*Geolocation) GetCountry ΒΆ
func (x *Geolocation) GetCountry() string
func (*Geolocation) GetCountryCode ΒΆ added in v0.4.1
func (x *Geolocation) GetCountryCode() string
func (*Geolocation) GetLatitude ΒΆ
func (x *Geolocation) GetLatitude() float64
func (*Geolocation) GetLongitude ΒΆ
func (x *Geolocation) GetLongitude() float64
func (*Geolocation) ProtoMessage ΒΆ
func (*Geolocation) ProtoMessage()
func (*Geolocation) ProtoReflect ΒΆ
func (x *Geolocation) ProtoReflect() protoreflect.Message
func (*Geolocation) Reset ΒΆ
func (x *Geolocation) Reset()
func (*Geolocation) String ΒΆ
func (x *Geolocation) String() string
type Grok ΒΆ added in v1.0.0
type Grok struct {
Patterns []*Pattern `protobuf:"bytes,1,rep,name=patterns,proto3" json:"patterns,omitempty"`
Source string `protobuf:"bytes,2,opt,name=source,proto3" json:"source,omitempty"`
Where string `protobuf:"bytes,3,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Grok) Descriptor
deprecated
added in
v1.0.0
func (*Grok) GetPatterns ΒΆ added in v1.0.0
func (*Grok) ProtoMessage ΒΆ added in v1.0.0
func (*Grok) ProtoMessage()
func (*Grok) ProtoReflect ΒΆ added in v1.0.0
func (x *Grok) ProtoReflect() protoreflect.Message
type Impact ΒΆ
type Impact struct {
Confidentiality uint32 `protobuf:"varint,1,opt,name=confidentiality,proto3" json:"confidentiality,omitempty"`
Integrity uint32 `protobuf:"varint,2,opt,name=integrity,proto3" json:"integrity,omitempty"`
Availability uint32 `protobuf:"varint,3,opt,name=availability,proto3" json:"availability,omitempty"`
// contains filtered or unexported fields
}
func (*Impact) Descriptor
deprecated
func (*Impact) GetAvailability ΒΆ
func (*Impact) GetConfidentiality ΒΆ
func (*Impact) GetIntegrity ΒΆ
func (*Impact) ProtoMessage ΒΆ
func (*Impact) ProtoMessage()
func (*Impact) ProtoReflect ΒΆ
func (x *Impact) ProtoReflect() protoreflect.Message
type IntegrationClient ΒΆ added in v0.2.3
type IntegrationClient interface {
ProcessLog(ctx context.Context, opts ...grpc.CallOption) (Integration_ProcessLogClient, error)
}
IntegrationClient is the client API for Integration service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewIntegrationClient ΒΆ added in v0.2.3
func NewIntegrationClient(cc grpc.ClientConnInterface) IntegrationClient
type IntegrationServer ΒΆ added in v0.2.3
type IntegrationServer interface {
ProcessLog(Integration_ProcessLogServer) error
// contains filtered or unexported methods
}
IntegrationServer is the server API for Integration service. All implementations must embed UnimplementedIntegrationServer for forward compatibility
type Integration_ProcessLogClient ΒΆ added in v0.2.3
type Integration_ProcessLogServer ΒΆ added in v0.2.3
type Json ΒΆ added in v1.0.0
type Json struct {
Source string `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
Where string `protobuf:"bytes,2,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Json) Descriptor
deprecated
added in
v1.0.0
func (*Json) ProtoMessage ΒΆ added in v1.0.0
func (*Json) ProtoMessage()
func (*Json) ProtoReflect ΒΆ added in v1.0.0
func (x *Json) ProtoReflect() protoreflect.Message
type Kv ΒΆ added in v1.0.0
type Kv struct {
FieldSplit string `protobuf:"bytes,1,opt,name=fieldSplit,proto3" json:"fieldSplit,omitempty"`
ValueSplit string `protobuf:"bytes,2,opt,name=valueSplit,proto3" json:"valueSplit,omitempty"`
Source string `protobuf:"bytes,3,opt,name=source,proto3" json:"source,omitempty"`
Where string `protobuf:"bytes,4,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Kv) Descriptor
deprecated
added in
v1.0.0
func (*Kv) GetFieldSplit ΒΆ added in v1.0.0
func (*Kv) GetValueSplit ΒΆ added in v1.0.0
func (*Kv) ProtoMessage ΒΆ added in v1.0.0
func (*Kv) ProtoMessage()
func (*Kv) ProtoReflect ΒΆ added in v1.0.0
func (x *Kv) ProtoReflect() protoreflect.Message
type Log ΒΆ
type Log struct {
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
DataType string `protobuf:"bytes,2,opt,name=dataType,proto3" json:"dataType,omitempty"`
DataSource string `protobuf:"bytes,3,opt,name=dataSource,proto3" json:"dataSource,omitempty"`
Timestamp string `protobuf:"bytes,4,opt,name=timestamp,json=@timestamp,proto3" json:"timestamp,omitempty"`
TenantId string `protobuf:"bytes,5,opt,name=tenantId,proto3" json:"tenantId,omitempty"`
Raw string `protobuf:"bytes,6,opt,name=raw,proto3" json:"raw,omitempty"`
// contains filtered or unexported fields
}
func (*Log) Descriptor
deprecated
func (*Log) GetDataSource ΒΆ
func (*Log) GetDataType ΒΆ
func (*Log) GetTenantId ΒΆ
func (*Log) GetTimestamp ΒΆ
func (*Log) ProtoMessage ΒΆ
func (*Log) ProtoMessage()
func (*Log) ProtoReflect ΒΆ
func (x *Log) ProtoReflect() protoreflect.Message
type Message ΒΆ
type Message struct {
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Timestamp string `protobuf:"bytes,2,opt,name=timestamp,json=@timestamp,proto3" json:"timestamp,omitempty"`
Topic string `protobuf:"bytes,3,opt,name=topic,proto3" json:"topic,omitempty"`
Message string `protobuf:"bytes,4,opt,name=message,proto3" json:"message,omitempty"`
// contains filtered or unexported fields
}
func (*Message) Descriptor
deprecated
func (*Message) GetMessage ΒΆ
func (*Message) GetTimestamp ΒΆ
func (*Message) ProtoMessage ΒΆ
func (*Message) ProtoMessage()
func (*Message) ProtoReflect ΒΆ
func (x *Message) ProtoReflect() protoreflect.Message
type NotificationClient ΒΆ added in v0.2.5
type NotificationClient interface {
Notify(ctx context.Context, in *Message, opts ...grpc.CallOption) (*emptypb.Empty, error)
}
NotificationClient is the client API for Notification service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewNotificationClient ΒΆ added in v0.2.5
func NewNotificationClient(cc grpc.ClientConnInterface) NotificationClient
type NotificationServer ΒΆ added in v0.2.5
type NotificationServer interface {
Notify(context.Context, *Message) (*emptypb.Empty, error)
// contains filtered or unexported methods
}
NotificationServer is the server API for Notification service. All implementations must embed UnimplementedNotificationServer for forward compatibility
type OutputClient ΒΆ added in v1.0.0
type OutputClient interface {
EventOutput(ctx context.Context, in *Event, opts ...grpc.CallOption) (*emptypb.Empty, error)
AlertOutput(ctx context.Context, in *Alert, opts ...grpc.CallOption) (*emptypb.Empty, error)
}
OutputClient is the client API for Output service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewOutputClient ΒΆ added in v1.0.0
func NewOutputClient(cc grpc.ClientConnInterface) OutputClient
type OutputServer ΒΆ added in v1.0.0
type OutputServer interface {
EventOutput(context.Context, *Event) (*emptypb.Empty, error)
AlertOutput(context.Context, *Alert) (*emptypb.Empty, error)
// contains filtered or unexported methods
}
OutputServer is the server API for Output service. All implementations must embed UnimplementedOutputServer for forward compatibility
type ParsingClient ΒΆ added in v0.2.5
type ParsingClient interface {
ParseLog(ctx context.Context, in *Transform, opts ...grpc.CallOption) (*Draft, error)
}
ParsingClient is the client API for Parsing service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewParsingClient ΒΆ added in v0.2.5
func NewParsingClient(cc grpc.ClientConnInterface) ParsingClient
type ParsingServer ΒΆ added in v0.2.5
type ParsingServer interface {
ParseLog(context.Context, *Transform) (*Draft, error)
// contains filtered or unexported methods
}
ParsingServer is the server API for Parsing service. All implementations must embed UnimplementedParsingServer for forward compatibility
type Pattern ΒΆ added in v1.0.0
type Pattern struct {
FieldName string `protobuf:"bytes,1,opt,name=fieldName,proto3" json:"fieldName,omitempty"`
Pattern string `protobuf:"bytes,2,opt,name=pattern,proto3" json:"pattern,omitempty"`
// contains filtered or unexported fields
}
func (*Pattern) Descriptor
deprecated
added in
v1.0.0
func (*Pattern) GetFieldName ΒΆ added in v1.0.0
func (*Pattern) GetPattern ΒΆ added in v1.0.0
func (*Pattern) ProtoMessage ΒΆ added in v1.0.0
func (*Pattern) ProtoMessage()
func (*Pattern) ProtoReflect ΒΆ added in v1.0.0
func (x *Pattern) ProtoReflect() protoreflect.Message
type Pipeline ΒΆ added in v1.0.0
type Pipeline struct {
DataTypes []string `protobuf:"bytes,1,rep,name=dataTypes,proto3" json:"dataTypes,omitempty"`
Steps []*Step `protobuf:"bytes,2,rep,name=steps,proto3" json:"steps,omitempty"`
// contains filtered or unexported fields
}
func (*Pipeline) Descriptor
deprecated
added in
v1.0.0
func (*Pipeline) GetDataTypes ΒΆ added in v1.0.0
func (*Pipeline) ProtoMessage ΒΆ added in v1.0.0
func (*Pipeline) ProtoMessage()
func (*Pipeline) ProtoReflect ΒΆ added in v1.0.0
func (x *Pipeline) ProtoReflect() protoreflect.Message
type Pool ΒΆ added in v1.1.0
type Pool[T any] struct { // contains filtered or unexported fields }
Pool is a generic object pool
type Reformat ΒΆ added in v1.0.0
type Reformat struct {
Fields []string `protobuf:"bytes,1,rep,name=fields,proto3" json:"fields,omitempty"`
Function string `protobuf:"bytes,2,opt,name=function,proto3" json:"function,omitempty"`
FromFormat string `protobuf:"bytes,3,opt,name=fromFormat,proto3" json:"fromFormat,omitempty"`
ToFormat string `protobuf:"bytes,4,opt,name=toFormat,proto3" json:"toFormat,omitempty"`
Where string `protobuf:"bytes,5,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Reformat) Descriptor
deprecated
added in
v1.0.0
func (*Reformat) GetFromFormat ΒΆ added in v1.0.0
func (*Reformat) GetFunction ΒΆ added in v1.0.0
func (*Reformat) GetToFormat ΒΆ added in v1.0.0
func (*Reformat) ProtoMessage ΒΆ added in v1.0.0
func (*Reformat) ProtoMessage()
func (*Reformat) ProtoReflect ΒΆ added in v1.0.0
func (x *Reformat) ProtoReflect() protoreflect.Message
type RegexpCache ΒΆ added in v1.1.0
type RegexpCache struct {
// contains filtered or unexported fields
}
RegexpCache provides a thread-safe cache for compiled regular expressions. It supports pattern expansion using templates defined in the configuration.
func (*RegexpCache) Get ΒΆ added in v1.1.0
func (c *RegexpCache) Get(pattern string) (*regexp.Regexp, error)
Get retrieves a compiled regular expression from the cache. If the pattern is not cached, it is compiled and added to the cache. Patterns containing "{{ ... }}" markers are expanded using global patterns from configuration.
type Rename ΒΆ added in v1.0.0
type Rename struct {
To string `protobuf:"bytes,1,opt,name=to,proto3" json:"to,omitempty"`
From []string `protobuf:"bytes,2,rep,name=from,proto3" json:"from,omitempty"`
Where string `protobuf:"bytes,3,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Rename) Descriptor
deprecated
added in
v1.0.0
func (*Rename) ProtoMessage ΒΆ added in v1.0.0
func (*Rename) ProtoMessage()
func (*Rename) ProtoReflect ΒΆ added in v1.0.0
func (x *Rename) ProtoReflect() protoreflect.Message
type Rule ΒΆ added in v1.1.6
type Rule struct {
Id uint64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
Description string `protobuf:"bytes,3,opt,name=description,proto3" json:"description,omitempty"`
Category string `protobuf:"bytes,4,opt,name=category,proto3" json:"category,omitempty"`
Technique string `protobuf:"bytes,5,opt,name=technique,proto3" json:"technique,omitempty"`
References []string `protobuf:"bytes,6,rep,name=references,proto3" json:"references,omitempty"`
DataTypes []string `protobuf:"bytes,7,rep,name=dataTypes,proto3" json:"dataTypes,omitempty"`
Adversary string `protobuf:"bytes,8,opt,name=adversary,proto3" json:"adversary,omitempty"`
Impact *Impact `protobuf:"bytes,9,opt,name=impact,proto3" json:"impact,omitempty"`
Where string `protobuf:"bytes,10,opt,name=where,proto3" json:"where,omitempty"`
AfterEvents []*SearchRequest `protobuf:"bytes,11,rep,name=afterEvents,proto3" json:"afterEvents,omitempty"`
DeduplicateBy []string `protobuf:"bytes,12,rep,name=deduplicateBy,proto3" json:"deduplicateBy,omitempty"`
GroupBy []string `protobuf:"bytes,13,rep,name=groupBy,proto3" json:"groupBy,omitempty"`
Correlation []*SearchRequest `protobuf:"bytes,14,rep,name=correlation,proto3" json:"correlation,omitempty"`
// contains filtered or unexported fields
}
func (*Rule) Descriptor
deprecated
added in
v1.1.6
func (*Rule) GetAdversary ΒΆ added in v1.1.6
func (*Rule) GetAfterEvents ΒΆ added in v1.1.6
func (x *Rule) GetAfterEvents() []*SearchRequest
func (*Rule) GetCategory ΒΆ added in v1.1.6
func (*Rule) GetCorrelation ΒΆ added in v1.1.6
func (x *Rule) GetCorrelation() []*SearchRequest
func (*Rule) GetDataTypes ΒΆ added in v1.1.6
func (*Rule) GetDeduplicateBy ΒΆ added in v1.1.6
func (*Rule) GetDescription ΒΆ added in v1.1.6
func (*Rule) GetGroupBy ΒΆ added in v1.1.6
func (*Rule) GetReferences ΒΆ added in v1.1.6
func (*Rule) GetTechnique ΒΆ added in v1.1.6
func (*Rule) Normalize ΒΆ added in v1.1.6
func (r *Rule) Normalize()
Normalize ensures that the newest fields are populated even if old aliases were used This is now a method on the generated Rule struct from plugins.pb.go
func (*Rule) ProtoMessage ΒΆ added in v1.1.6
func (*Rule) ProtoMessage()
func (*Rule) ProtoReflect ΒΆ added in v1.1.6
func (x *Rule) ProtoReflect() protoreflect.Message
type SearchRequest ΒΆ added in v1.1.6
type SearchRequest struct {
IndexPattern string `protobuf:"bytes,1,opt,name=indexPattern,proto3" json:"indexPattern,omitempty"`
With []*Expression `protobuf:"bytes,2,rep,name=with,proto3" json:"with,omitempty"`
Or []*SearchRequest `protobuf:"bytes,3,rep,name=or,proto3" json:"or,omitempty"`
Within string `protobuf:"bytes,4,opt,name=within,proto3" json:"within,omitempty"`
Count uint64 `protobuf:"varint,5,opt,name=count,proto3" json:"count,omitempty"`
// contains filtered or unexported fields
}
func (*SearchRequest) Descriptor
deprecated
added in
v1.1.6
func (*SearchRequest) Descriptor() ([]byte, []int)
Deprecated: Use SearchRequest.ProtoReflect.Descriptor instead.
func (*SearchRequest) Execute ΒΆ added in v1.1.6
Execute performs the correlation search using the provided context and previous event data
func (*SearchRequest) GetCount ΒΆ added in v1.1.6
func (x *SearchRequest) GetCount() uint64
func (*SearchRequest) GetIndexPattern ΒΆ added in v1.1.6
func (x *SearchRequest) GetIndexPattern() string
func (*SearchRequest) GetOr ΒΆ added in v1.1.6
func (x *SearchRequest) GetOr() []*SearchRequest
func (*SearchRequest) GetWith ΒΆ added in v1.1.6
func (x *SearchRequest) GetWith() []*Expression
func (*SearchRequest) GetWithin ΒΆ added in v1.1.6
func (x *SearchRequest) GetWithin() string
func (*SearchRequest) ProtoMessage ΒΆ added in v1.1.6
func (*SearchRequest) ProtoMessage()
func (*SearchRequest) ProtoReflect ΒΆ added in v1.1.6
func (x *SearchRequest) ProtoReflect() protoreflect.Message
func (*SearchRequest) Reset ΒΆ added in v1.1.6
func (x *SearchRequest) Reset()
func (*SearchRequest) String ΒΆ added in v1.1.6
func (x *SearchRequest) String() string
type Side ΒΆ
type Side struct {
// Network traffic attributes
BytesSent float64 `protobuf:"fixed64,1,opt,name=bytesSent,proto3" json:"bytesSent,omitempty"`
BytesReceived float64 `protobuf:"fixed64,2,opt,name=bytesReceived,proto3" json:"bytesReceived,omitempty"`
PackagesSent uint64 `protobuf:"varint,3,opt,name=packagesSent,proto3" json:"packagesSent,omitempty"`
PackagesReceived uint64 `protobuf:"varint,4,opt,name=packagesReceived,proto3" json:"packagesReceived,omitempty"`
// Network identification attributes
Ip string `protobuf:"bytes,5,opt,name=ip,proto3" json:"ip,omitempty"`
Host string `protobuf:"bytes,6,opt,name=host,proto3" json:"host,omitempty"`
User string `protobuf:"bytes,7,opt,name=user,proto3" json:"user,omitempty"`
Group string `protobuf:"bytes,8,opt,name=group,proto3" json:"group,omitempty"`
Port uint32 `protobuf:"varint,9,opt,name=port,proto3" json:"port,omitempty"`
Domain string `protobuf:"bytes,10,opt,name=domain,proto3" json:"domain,omitempty"`
Mac string `protobuf:"bytes,11,opt,name=mac,proto3" json:"mac,omitempty"`
Geolocation *Geolocation `protobuf:"bytes,12,opt,name=geolocation,proto3" json:"geolocation,omitempty"`
Url string `protobuf:"bytes,13,opt,name=url,proto3" json:"url,omitempty"`
Cidr string `protobuf:"bytes,14,opt,name=cidr,proto3" json:"cidr,omitempty"`
// Certificate and fingerprint attributes
CertificateFingerprint string `protobuf:"bytes,15,opt,name=certificateFingerprint,proto3" json:"certificateFingerprint,omitempty"`
Ja3Fingerprint string `protobuf:"bytes,16,opt,name=ja3Fingerprint,proto3" json:"ja3Fingerprint,omitempty"`
JarmFingerprint string `protobuf:"bytes,17,opt,name=jarmFingerprint,proto3" json:"jarmFingerprint,omitempty"`
SshBanner string `protobuf:"bytes,18,opt,name=sshBanner,proto3" json:"sshBanner,omitempty"`
SshFingerprint string `protobuf:"bytes,19,opt,name=sshFingerprint,proto3" json:"sshFingerprint,omitempty"`
// Web attributes
Cookie string `protobuf:"bytes,20,opt,name=cookie,proto3" json:"cookie,omitempty"`
JabberId string `protobuf:"bytes,21,opt,name=jabberId,proto3" json:"jabberId,omitempty"`
// Email attributes
Email string `protobuf:"bytes,22,opt,name=email,proto3" json:"email,omitempty"`
Dkim string `protobuf:"bytes,23,opt,name=dkim,proto3" json:"dkim,omitempty"`
DkimSignature string `protobuf:"bytes,24,opt,name=dkimSignature,proto3" json:"dkimSignature,omitempty"`
EmailAddress string `protobuf:"bytes,25,opt,name=emailAddress,proto3" json:"emailAddress,omitempty"`
EmailBody string `protobuf:"bytes,26,opt,name=emailBody,proto3" json:"emailBody,omitempty"`
EmailDisplayName string `protobuf:"bytes,27,opt,name=emailDisplayName,proto3" json:"emailDisplayName,omitempty"`
EmailSubject string `protobuf:"bytes,28,opt,name=emailSubject,proto3" json:"emailSubject,omitempty"`
EmailThreadIndex string `protobuf:"bytes,29,opt,name=emailThreadIndex,proto3" json:"emailThreadIndex,omitempty"`
EmailXMailer string `protobuf:"bytes,30,opt,name=emailXMailer,proto3" json:"emailXMailer,omitempty"`
// WHOIS attributes
WhoisRegistrant string `protobuf:"bytes,31,opt,name=whoisRegistrant,proto3" json:"whoisRegistrant,omitempty"`
WhoisRegistrar string `protobuf:"bytes,32,opt,name=whoisRegistrar,proto3" json:"whoisRegistrar,omitempty"`
// Process-related attributes
Process string `protobuf:"bytes,33,opt,name=process,proto3" json:"process,omitempty"`
ProcessState string `protobuf:"bytes,34,opt,name=processState,proto3" json:"processState,omitempty"`
Command string `protobuf:"bytes,35,opt,name=command,proto3" json:"command,omitempty"`
WindowsScheduledTask string `protobuf:"bytes,36,opt,name=windowsScheduledTask,proto3" json:"windowsScheduledTask,omitempty"`
WindowsServiceDisplayName string `protobuf:"bytes,37,opt,name=windowsServiceDisplayName,proto3" json:"windowsServiceDisplayName,omitempty"`
WindowsServiceName string `protobuf:"bytes,38,opt,name=windowsServiceName,proto3" json:"windowsServiceName,omitempty"`
// File-related attributes
File string `protobuf:"bytes,39,opt,name=file,proto3" json:"file,omitempty"`
Path string `protobuf:"bytes,40,opt,name=path,proto3" json:"path,omitempty"`
Filename string `protobuf:"bytes,41,opt,name=filename,proto3" json:"filename,omitempty"`
SizeInBytes string `protobuf:"bytes,42,opt,name=sizeInBytes,proto3" json:"sizeInBytes,omitempty"`
MimeType string `protobuf:"bytes,43,opt,name=mimeType,proto3" json:"mimeType,omitempty"`
// Hash-related attributes
Hash string `protobuf:"bytes,44,opt,name=hash,proto3" json:"hash,omitempty"`
Authentihash string `protobuf:"bytes,45,opt,name=authentihash,proto3" json:"authentihash,omitempty"`
Cdhash string `protobuf:"bytes,46,opt,name=cdhash,proto3" json:"cdhash,omitempty"`
Md5 string `protobuf:"bytes,47,opt,name=md5,proto3" json:"md5,omitempty"`
Sha1 string `protobuf:"bytes,48,opt,name=sha1,proto3" json:"sha1,omitempty"`
Sha224 string `protobuf:"bytes,49,opt,name=sha224,proto3" json:"sha224,omitempty"`
Sha256 string `protobuf:"bytes,50,opt,name=sha256,proto3" json:"sha256,omitempty"`
Sha384 string `protobuf:"bytes,51,opt,name=sha384,proto3" json:"sha384,omitempty"`
Sha3224 string `protobuf:"bytes,52,opt,name=sha3224,proto3" json:"sha3224,omitempty"`
Sha3256 string `protobuf:"bytes,53,opt,name=sha3256,proto3" json:"sha3256,omitempty"`
Sha3384 string `protobuf:"bytes,54,opt,name=sha3384,proto3" json:"sha3384,omitempty"`
Sha3512 string `protobuf:"bytes,55,opt,name=sha3512,proto3" json:"sha3512,omitempty"`
Sha512 string `protobuf:"bytes,56,opt,name=sha512,proto3" json:"sha512,omitempty"`
Sha512224 string `protobuf:"bytes,57,opt,name=sha512224,proto3" json:"sha512224,omitempty"`
Sha512256 string `protobuf:"bytes,58,opt,name=sha512256,proto3" json:"sha512256,omitempty"`
Hex string `protobuf:"bytes,59,opt,name=hex,proto3" json:"hex,omitempty"`
Base64 string `protobuf:"bytes,60,opt,name=base64,proto3" json:"base64,omitempty"`
// System-related attributes
OperatingSystem string `protobuf:"bytes,61,opt,name=operatingSystem,proto3" json:"operatingSystem,omitempty"`
ChromeExtension string `protobuf:"bytes,62,opt,name=chromeExtension,proto3" json:"chromeExtension,omitempty"`
MobileAppId string `protobuf:"bytes,63,opt,name=mobileAppId,proto3" json:"mobileAppId,omitempty"`
// Vulnerability-related attributes
Cpe string `protobuf:"bytes,64,opt,name=cpe,proto3" json:"cpe,omitempty"`
Cve string `protobuf:"bytes,65,opt,name=cve,proto3" json:"cve,omitempty"`
// Malware-related attributes
Malware string `protobuf:"bytes,66,opt,name=malware,proto3" json:"malware,omitempty"`
MalwareFamily string `protobuf:"bytes,67,opt,name=malwareFamily,proto3" json:"malwareFamily,omitempty"`
MalwareType string `protobuf:"bytes,68,opt,name=malwareType,proto3" json:"malwareType,omitempty"`
// Key-related attributes
PgpPrivateKey string `protobuf:"bytes,69,opt,name=pgpPrivateKey,proto3" json:"pgpPrivateKey,omitempty"`
PgpPublicKey string `protobuf:"bytes,70,opt,name=pgpPublicKey,proto3" json:"pgpPublicKey,omitempty"`
// Resources attributes
Connections uint64 `protobuf:"varint,71,opt,name=connections,proto3" json:"connections,omitempty"`
UsedCpuPercent uint32 `protobuf:"varint,72,opt,name=usedCpuPercent,proto3" json:"usedCpuPercent,omitempty"`
UsedMemPercent uint32 `protobuf:"varint,73,opt,name=usedMemPercent,proto3" json:"usedMemPercent,omitempty"`
TotalCpuUnits uint32 `protobuf:"varint,74,opt,name=totalCpuUnits,proto3" json:"totalCpuUnits,omitempty"`
TotalMem uint64 `protobuf:"varint,75,opt,name=totalMem,proto3" json:"totalMem,omitempty"`
Disks []*DiskInfo `protobuf:"bytes,76,rep,name=disks,proto3" json:"disks,omitempty"`
// contains filtered or unexported fields
}
func (*Side) Descriptor
deprecated
func (*Side) GetAuthentihash ΒΆ added in v1.0.36
func (*Side) GetBytesReceived ΒΆ
func (*Side) GetBytesSent ΒΆ
func (*Side) GetCertificateFingerprint ΒΆ added in v1.0.36
func (*Side) GetChromeExtension ΒΆ added in v1.0.36
func (*Side) GetCommand ΒΆ
func (*Side) GetConnections ΒΆ
func (*Side) GetDkimSignature ΒΆ added in v1.0.36
func (*Side) GetEmailAddress ΒΆ added in v1.0.36
func (*Side) GetEmailBody ΒΆ added in v1.0.36
func (*Side) GetEmailDisplayName ΒΆ added in v1.0.36
func (*Side) GetEmailSubject ΒΆ added in v1.0.36
func (*Side) GetEmailThreadIndex ΒΆ added in v1.0.36
func (*Side) GetEmailXMailer ΒΆ added in v1.0.36
func (*Side) GetFilename ΒΆ added in v1.0.36
func (*Side) GetGeolocation ΒΆ added in v0.4.7
func (x *Side) GetGeolocation() *Geolocation
func (*Side) GetJa3Fingerprint ΒΆ added in v1.0.36
func (*Side) GetJabberId ΒΆ added in v1.0.36
func (*Side) GetJarmFingerprint ΒΆ added in v1.0.36
func (*Side) GetMalware ΒΆ added in v1.0.36
func (*Side) GetMalwareFamily ΒΆ added in v1.0.36
func (*Side) GetMalwareType ΒΆ added in v1.0.36
func (*Side) GetMimeType ΒΆ added in v1.0.36
func (*Side) GetMobileAppId ΒΆ added in v1.0.36
func (*Side) GetOperatingSystem ΒΆ added in v1.0.36
func (*Side) GetPackagesReceived ΒΆ
func (*Side) GetPackagesSent ΒΆ
func (*Side) GetPgpPrivateKey ΒΆ added in v1.0.36
func (*Side) GetPgpPublicKey ΒΆ added in v1.0.36
func (*Side) GetProcess ΒΆ
func (*Side) GetProcessState ΒΆ added in v1.0.36
func (*Side) GetSha3224 ΒΆ added in v1.0.36
func (*Side) GetSha3256 ΒΆ added in v1.0.36
func (*Side) GetSha3384 ΒΆ added in v1.0.36
func (*Side) GetSha3512 ΒΆ added in v1.0.36
func (*Side) GetSha512224 ΒΆ added in v1.0.36
func (*Side) GetSha512256 ΒΆ added in v1.0.36
func (*Side) GetSizeInBytes ΒΆ added in v1.0.36
func (*Side) GetSshBanner ΒΆ added in v1.0.36
func (*Side) GetSshFingerprint ΒΆ added in v1.0.36
func (*Side) GetTotalCpuUnits ΒΆ added in v1.0.0
func (*Side) GetTotalMem ΒΆ added in v1.0.0
func (*Side) GetUsedCpuPercent ΒΆ
func (*Side) GetUsedMemPercent ΒΆ
func (*Side) GetWhoisRegistrant ΒΆ added in v1.0.36
func (*Side) GetWhoisRegistrar ΒΆ added in v1.0.36
func (*Side) GetWindowsScheduledTask ΒΆ added in v1.0.36
func (*Side) GetWindowsServiceDisplayName ΒΆ added in v1.0.36
func (*Side) GetWindowsServiceName ΒΆ added in v1.0.36
func (*Side) ProtoMessage ΒΆ
func (*Side) ProtoMessage()
func (*Side) ProtoReflect ΒΆ
func (x *Side) ProtoReflect() protoreflect.Message
type SocketType ΒΆ added in v1.0.36
type SocketType string
const ( // NotificationSocket identifies Notification plugins sockets: <name>_notification.sock NotificationSocket SocketType = "notification" // AnalysisSocket identifies Analysis plugins sockets: <name>_analysis.sock AnalysisSocket SocketType = "analysis" // CorrelationSocket identifies Correlation plugins sockets: <name>_correlation.sock CorrelationSocket SocketType = "correlation" )
func (*SocketType) String ΒΆ added in v1.0.36
func (t *SocketType) String() string
String returns the string representation of the SocketType.
type Step ΒΆ added in v1.0.0
type Step struct {
Kv *Kv `protobuf:"bytes,1,opt,name=kv,proto3" json:"kv,omitempty"`
Grok *Grok `protobuf:"bytes,2,opt,name=grok,proto3" json:"grok,omitempty"`
Trim *Trim `protobuf:"bytes,3,opt,name=trim,proto3" json:"trim,omitempty"`
Json *Json `protobuf:"bytes,4,opt,name=json,proto3" json:"json,omitempty"`
Csv *Csv `protobuf:"bytes,5,opt,name=csv,proto3" json:"csv,omitempty"`
Rename *Rename `protobuf:"bytes,6,opt,name=rename,proto3" json:"rename,omitempty"`
Cast *Cast `protobuf:"bytes,7,opt,name=cast,proto3" json:"cast,omitempty"`
Reformat *Reformat `protobuf:"bytes,8,opt,name=reformat,proto3" json:"reformat,omitempty"`
Delete *Delete `protobuf:"bytes,9,opt,name=delete,proto3" json:"delete,omitempty"`
Drop *Drop `protobuf:"bytes,10,opt,name=drop,proto3" json:"drop,omitempty"`
Add *Add `protobuf:"bytes,11,opt,name=add,proto3" json:"add,omitempty"`
Dynamic *Dynamic `protobuf:"bytes,12,opt,name=dynamic,proto3" json:"dynamic,omitempty"`
// contains filtered or unexported fields
}
func (*Step) Descriptor
deprecated
added in
v1.0.0
func (*Step) GetDynamic ΒΆ added in v1.0.0
func (*Step) GetReformat ΒΆ added in v1.0.0
func (*Step) ProtoMessage ΒΆ added in v1.0.0
func (*Step) ProtoMessage()
func (*Step) ProtoReflect ΒΆ added in v1.0.0
func (x *Step) ProtoReflect() protoreflect.Message
type Tenant ΒΆ added in v1.0.0
type Tenant struct {
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
Assets []*Asset `protobuf:"bytes,3,rep,name=assets,proto3" json:"assets,omitempty"`
DisabledRules []uint64 `protobuf:"varint,4,rep,packed,name=disabledRules,proto3" json:"disabledRules,omitempty"`
// contains filtered or unexported fields
}
func (*Tenant) Descriptor
deprecated
added in
v1.0.0
func (*Tenant) GetDisabledRules ΒΆ added in v1.0.0
func (*Tenant) ProtoMessage ΒΆ added in v1.0.0
func (*Tenant) ProtoMessage()
func (*Tenant) ProtoReflect ΒΆ added in v1.0.0
func (x *Tenant) ProtoReflect() protoreflect.Message
type Topic ΒΆ added in v1.0.0
type Topic string
Topic represents a notification topic identifier.
const ( // TopicEnqueueSuccess identifies notifications for successful event enqueuing. TopicEnqueueSuccess Topic = "enqueue_success" // TopicParsingDropped identifies notifications for events dropped during parsing. TopicParsingDropped Topic = "parsing_dropped" // TopicAnalysisDropped identifies notifications for events dropped during analysis. TopicAnalysisDropped Topic = "analysis_dropped" // TopicCorrelationDropped identifies notifications for events dropped during correlation. TopicCorrelationDropped Topic = "correlation_dropped" )
type Transform ΒΆ added in v1.0.0
type Transform struct {
Draft *Draft `protobuf:"bytes,1,opt,name=draft,proto3" json:"draft,omitempty"`
Step *Step `protobuf:"bytes,2,opt,name=step,proto3" json:"step,omitempty"`
// contains filtered or unexported fields
}
func (*Transform) Descriptor
deprecated
added in
v1.0.0
func (*Transform) ProtoMessage ΒΆ added in v1.0.0
func (*Transform) ProtoMessage()
func (*Transform) ProtoReflect ΒΆ added in v1.0.0
func (x *Transform) ProtoReflect() protoreflect.Message
type Trim ΒΆ added in v1.0.0
type Trim struct {
Function string `protobuf:"bytes,1,opt,name=function,proto3" json:"function,omitempty"`
Substring string `protobuf:"bytes,2,opt,name=substring,proto3" json:"substring,omitempty"`
Fields []string `protobuf:"bytes,3,rep,name=fields,proto3" json:"fields,omitempty"`
Where string `protobuf:"bytes,4,opt,name=where,proto3" json:"where,omitempty"`
// contains filtered or unexported fields
}
func (*Trim) Descriptor
deprecated
added in
v1.0.0
func (*Trim) GetFunction ΒΆ added in v1.0.0
func (*Trim) GetSubstring ΒΆ added in v1.0.0
func (*Trim) ProtoMessage ΒΆ added in v1.0.0
func (*Trim) ProtoMessage()
func (*Trim) ProtoReflect ΒΆ added in v1.0.0
func (x *Trim) ProtoReflect() protoreflect.Message
type UnimplementedAnalysisServer ΒΆ added in v0.2.5
type UnimplementedAnalysisServer struct {
}
UnimplementedAnalysisServer must be embedded to have forward compatible implementations.
func (UnimplementedAnalysisServer) Analyze ΒΆ added in v0.2.5
func (UnimplementedAnalysisServer) Analyze(*Event, Analysis_AnalyzeServer) error
type UnimplementedCorrelationServer ΒΆ added in v0.2.5
type UnimplementedCorrelationServer struct {
}
UnimplementedCorrelationServer must be embedded to have forward compatible implementations.
type UnimplementedEngineServer ΒΆ added in v0.2.5
type UnimplementedEngineServer struct {
}
UnimplementedEngineServer must be embedded to have forward compatible implementations.
func (UnimplementedEngineServer) Input ΒΆ added in v0.2.5
func (UnimplementedEngineServer) Input(Engine_InputServer) error
func (UnimplementedEngineServer) Notify ΒΆ added in v0.2.5
func (UnimplementedEngineServer) Notify(Engine_NotifyServer) error
type UnimplementedIntegrationServer ΒΆ added in v0.2.3
type UnimplementedIntegrationServer struct {
}
UnimplementedIntegrationServer must be embedded to have forward compatible implementations.
func (UnimplementedIntegrationServer) ProcessLog ΒΆ added in v0.2.3
func (UnimplementedIntegrationServer) ProcessLog(Integration_ProcessLogServer) error
type UnimplementedNotificationServer ΒΆ added in v0.2.5
type UnimplementedNotificationServer struct {
}
UnimplementedNotificationServer must be embedded to have forward compatible implementations.
type UnimplementedOutputServer ΒΆ added in v1.0.0
type UnimplementedOutputServer struct {
}
UnimplementedOutputServer must be embedded to have forward compatible implementations.
func (UnimplementedOutputServer) AlertOutput ΒΆ added in v1.0.0
func (UnimplementedOutputServer) EventOutput ΒΆ added in v1.0.0
type UnimplementedParsingServer ΒΆ added in v0.2.5
type UnimplementedParsingServer struct {
}
UnimplementedParsingServer must be embedded to have forward compatible implementations.
type UnsafeAnalysisServer ΒΆ added in v0.2.5
type UnsafeAnalysisServer interface {
// contains filtered or unexported methods
}
UnsafeAnalysisServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AnalysisServer will result in compilation errors.
type UnsafeCorrelationServer ΒΆ added in v0.2.5
type UnsafeCorrelationServer interface {
// contains filtered or unexported methods
}
UnsafeCorrelationServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to CorrelationServer will result in compilation errors.
type UnsafeEngineServer ΒΆ added in v0.2.5
type UnsafeEngineServer interface {
// contains filtered or unexported methods
}
UnsafeEngineServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to EngineServer will result in compilation errors.
type UnsafeIntegrationServer ΒΆ added in v0.2.3
type UnsafeIntegrationServer interface {
// contains filtered or unexported methods
}
UnsafeIntegrationServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to IntegrationServer will result in compilation errors.
type UnsafeNotificationServer ΒΆ added in v0.2.5
type UnsafeNotificationServer interface {
// contains filtered or unexported methods
}
UnsafeNotificationServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to NotificationServer will result in compilation errors.
type UnsafeOutputServer ΒΆ added in v1.0.0
type UnsafeOutputServer interface {
// contains filtered or unexported methods
}
UnsafeOutputServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to OutputServer will result in compilation errors.
type UnsafeParsingServer ΒΆ added in v0.2.5
type UnsafeParsingServer interface {
// contains filtered or unexported methods
}
UnsafeParsingServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to ParsingServer will result in compilation errors.
type Value_BoolValue ΒΆ
type Value_BoolValue = structpb.Value_BoolValue
type Value_ListValue ΒΆ
type Value_ListValue = structpb.Value_ListValue
type Value_NullValue ΒΆ
type Value_NullValue = structpb.Value_NullValue
type Value_NumberValue ΒΆ
type Value_NumberValue = structpb.Value_NumberValue
type Value_StringValue ΒΆ
type Value_StringValue = structpb.Value_StringValue
type Value_StructValue ΒΆ
type Value_StructValue = structpb.Value_StructValue
type Variable ΒΆ added in v1.0.0
type Variable struct {
Get string `protobuf:"bytes,1,opt,name=get,proto3" json:"get,omitempty"`
As string `protobuf:"bytes,2,opt,name=as,proto3" json:"as,omitempty"`
OfType string `protobuf:"bytes,3,opt,name=ofType,proto3" json:"ofType,omitempty"`
// contains filtered or unexported fields
}
func (*Variable) Descriptor
deprecated
added in
v1.0.0
func (*Variable) ProtoMessage ΒΆ added in v1.0.0
func (*Variable) ProtoMessage()
func (*Variable) ProtoReflect ΒΆ added in v1.0.0
func (x *Variable) ProtoReflect() protoreflect.Message
Source Files
Click to show internal directories.
Click to hide internal directories.